Authentication & SSO

Agile Flights supports multiple sign-in methods: email and password, GitHub OAuth, and Google OAuth. Organisations on the Enterprise plan can verify their email domain and enforce Google SSO for all users on that domain, with automatic provisioning into the organisation.

Sign-In Methods

The sign-in page at /auth offers three ways to create an account or log in:

• Email and password - the default method, available on all plans.
• Continue with GitHub - OAuth login using your GitHub account.
• Continue with Google - OAuth login using your Google account.

All three methods are available to every user by default. OAuth sign-ins automatically sync your profile picture from the provider. If your organisation enforces SSO (see below), email and password login will be blocked for users with a verified domain email.

Managing Connected Accounts

Users can link multiple OAuth providers to the same account, allowing flexible sign-in options. Account settings are available at Settings > Account (or by navigating directly to /settings/account).

Non-admin users accessing /settings are automatically redirected to /settings/account.

Linking Additional Providers

To link an additional OAuth provider to your account:

1. Go to Settings > Account.
2. Click Link GitHub or Link Google depending on which provider you want to add.
3. Complete the OAuth flow with the selected provider.
4. Return to the account page to see the newly linked provider listed under your connected sign-in methods.

Once linked, you can use any of your connected providers to sign in to your account.

Disconnecting Providers

To disconnect an OAuth provider from your account, click the disconnect button next to the connected provider on the account settings page.

You cannot disconnect your last remaining sign-in method. If you only have one provider linked, the disconnect button will be disabled. This prevents you from accidentally locking yourself out of your account. To disconnect a provider, first link an alternative sign-in method, then disconnect the one you no longer need.

Organization Switching

Users who belong to multiple organizations can switch between them without signing out. To switch organizations:

1. Open the Team Switcher dropdown in the header.
2. Select the desired organization from the organization selector. A checkmark indicates the currently active organization.

Switching organizations updates the dashboard to show that organization's teams and flights. All navigation and data within the app reflects the selected organization until you switch again.

Domain Verification

Domain verification lets an organisation prove ownership of its email domain (e.g. acme.com). This is a prerequisite for SSO enforcement and is available on the Enterprise plan only.

Adding a Domain

Organisation owners can add a domain from Settings > Authentication. Enter your organisation's email domain and click Add Domain. The system generates a unique DNS TXT verification token for your domain.

DNS TXT Record

After adding a domain, you'll see instructions to create a DNS TXT record. Add the following record to your domain's DNS configuration:

• Type: TXT
• Host: _agileflights-verification
• Value: the verification token shown in the UI

DNS changes can take anywhere from a few seconds to 48 hours to propagate, depending on your DNS provider. Most providers propagate within a few minutes.

Verifying the Domain

Once the TXT record is in place, return to Settings > Authentication and click Verify Domain. The system performs a DNS lookup via Cloudflare's DNS-over-HTTPS service to confirm the record exists and matches the expected token. If verification succeeds, the domain is marked as verified with a green badge.

If verification fails, double-check that the TXT record is on the correct subdomain (_agileflights-verification.yourdomain.com) and that the value matches the token exactly. You can retry verification as many times as needed.

SSO Enforcement

Once a domain is verified, organisation owners can enforce Google SSO for all users whose email matches that domain. SSO enforcement is available on the Enterprise plan only and requires at least one verified domain.

Enabling SSO Enforcement

In Settings > Authentication, toggle Require SSO to on. When enabled:

• Users with a verified domain email (e.g. @acme.com) must sign in using Google OAuth. Email and password login is blocked for these users.
• If a user with a verified domain email attempts to sign in with email and password, they will be signed out and redirected to the sign-in page with a message explaining that their organisation requires Google SSO.
• Users whose email does not match a verified domain are unaffected and can continue using any sign-in method.

SSO enforcement is checked after authentication, so the security boundary is enforced at the application level regardless of how the sign-in request originates.

Auto-Provisioning

When SSO enforcement is enabled, users who sign in with Google using a verified domain email are automatically added to the organisation. This means new team members don't need a manual invitation to join the organisation - they simply sign in with their company Google account and they're in.

Auto-provisioning adds users to the organisation only, not to individual teams. Team admins are responsible for adding organisation members to their teams as needed.

Adding Members to Teams

Since auto-provisioned users join the organisation but not any specific team, team admins need to add them manually. To add an organisation member to a team:

1. Navigate to Settings > Teams > [Team Name] > Members.
2. Click Add Member.
3. Select the organisation member from the dropdown. The dropdown shows organisation members who are not already on the team.

This keeps team composition intentional - the organisation controls who has access to the platform, while team admins control who works on their team's flights.

Sign-In Troubleshooting

During OAuth sign-in, you may occasionally encounter an error. The sections below describe each error type, what you will see, and what to do.

Expired Sign-In Link

An amber warning banner appears with the message "Your sign-in link has expired". This happens when a magic-link or one-time-password token is no longer valid, usually because too much time passed before you clicked the link.

You will see a field to enter your email address. Type your email and submit the form to receive a fresh magic link. Check your inbox and click the new link promptly.

Server Error

A red error banner appears with the message "Sign in failed due to a server error". This indicates an unexpected problem on the server side during the OAuth exchange.

You will see buttons to Retry with Google or Retry with GitHub. Click one of these to attempt sign-in again. If the error persists, wait a few minutes and try once more. Contact support if the problem continues.

Access Denied

An amber warning banner appears with the message "Sign-in request was declined". This typically means the OAuth consent screen was cancelled or the provider denied the request.

You will see retry buttons for Google and GitHub. Click the provider you want to use and complete the OAuth flow without cancelling the popup.

Provider Error

An amber warning banner appears with the message "We had trouble connecting to your sign-in provider. Please try again."This happens when the OAuth provider (Google or GitHub) could not retrieve your user profile after authentication.

You will see buttons to Retry with Google or Retry with GitHub. Click the provider you used to attempt sign-in again. If the error persists, wait a few minutes before retrying. Contact support if the problem continues.

Enterprise Plan Requirement

Google OAuth sign-in is available on all plans. Domain verification and SSO enforcement require the Enterprise plan. The Authentication settings page is visible to all organisation owners, but domain management and SSO toggles show an upgrade prompt on Free and Team plans.

For full details on plan tiers and what each includes, see the Plans & Limits page.