Authentication
SecureCodingHub supports multiple authentication methods. All sessions use JWT tokens with short expiration times for security.
Authentication Methods
Choose the authentication method that best fits your organization:
Magic Code (Email OTP)
Passwordless login via 6-digit code sent to email. Default method for all users. Codes expire after 10 minutes. No password to manage or remember.
OIDC (OpenID Connect)
Enterprise SSO via Azure AD, Okta, or compatible providers. Authorization code flow with PKCE. Recommended for organizations.
SAML 2.0
Federation-based SSO for enterprise environments. SP-initiated login flow.
Magic Code Flow
The default passwordless authentication flow works as follows:
User enters their email address
Server sends a 6-digit OTP to the email
User enters the code
Server verifies the code and issues a JWT
JWT is stored in the browser for session management
SSO Flow
When SSO is configured for your organization, the authentication flow changes:
User enters email — system detects SSO is enabled for their domain
Browser redirects to identity provider
User authenticates with corporate credentials
IdP sends authorization code (OIDC) or SAML assertion back
Server validates response and issues a JWT
User is logged in
JWT Tokens
All authenticated sessions are managed using JSON Web Tokens:
| Property | Value |
|---|---|
| Algorithm | HS256 |
| Contains | User ID, Organization ID, Role |
| Transmission | Authorization: Bearer header |
| Storage | HttpOnly cookie or localStorage |
Session Security
- Tokens are validated on every API request
- Invalid or expired tokens are rejected
- SSO sessions respect IdP session policies
- Magic codes are single-use and time-limited