Authentication and SSO

Local users authenticate with username/password credentials. Passwords are hashed before storage, and administrative access is controlled separately from normal workspace membership.

User sessions use random tokens that are stored as hashes rather than plaintext. Tokens can be rotated, revoked, and limited across multiple signed-in devices.

OIDC SSO supports providers such as Microsoft Entra ID, Okta, and Google. TheChatApp validates signed identity tokens and can apply identity-provider group information during login.

OIDC and SCIM are separate integrations: OIDC authenticates users, while SCIM provisions user and group lifecycle data.

Authentication failures trigger progressive lockout by username or IP address. Lockout durations increase from one minute to one hour as failures accumulate, and rate-limit events are recorded for audit review.