Authentication & Teams
Skyflo uses JWT-based authentication with refresh token rotation. The first registered user becomes the admin.
First Login
After installation, open the Command Center and register the first account. This account automatically becomes the admin with full permissions.
Authentication Flow
- Login via
POST /auth/jwt/loginstoresauth_tokenandrefresh_tokenas HttpOnly cookies. - Access tokens expire after 15 minutes (configurable via
jwtAccessTokenExpireMinutes). - Refresh tokens are rotated automatically every 14 minutes. Valid for 7 days by default.
- Logout revokes the refresh token and clears cookies.
Token Configuration
Set these in the Helm values under engine.config:
| Setting | Default | Description |
|---|---|---|
jwtAlgorithm | HS256 | JWT signing algorithm |
jwtAccessTokenExpireMinutes | 15 | Access token lifetime |
jwtRefreshTokenExpireDays | 7 | Refresh token lifetime |
The jwtSecret under engine.secrets is auto-generated on first install and preserved across upgrades.
Team Management
Admins can manage team members from the Command Center settings:
- Add members with email and role assignment
- Update roles for existing members
- Remove members from the team
Roles
| Role | Permissions |
|---|---|
| Admin | Full access. Manage team, integrations, approve operations. |
| Member | Use the agent, approve operations, view conversations. |
SSO (Team Plan)
SAML 2.0 and OIDC support for enterprise identity providers is available in the Team plan. Book a demo to learn more.