Authentication
Contentrain Studio supports three sign-in methods, each suited to a different role in your team. All authentication flows are handled through the provider/adapter pattern, so the underlying implementation can be swapped without changing any application code.
Sign-In Methods
GitHub OAuth
GitHub OAuth is the primary authentication method for workspace owners. When you sign in with GitHub, Studio gains access to your repositories through the GitHub App, which is required to connect projects.
Best for: Workspace owners and developers who need repository access.
Flow:
- Click Sign in with GitHub on the login page
- GitHub redirects you to authorize the Contentrain app
- Studio creates your account and a personal workspace
- You are redirected back to Studio
TIP
If this is your first login, Studio automatically creates a personal workspace for you. You can create additional team workspaces later.
Google OAuth
Google OAuth provides a convenient sign-in option for team members who do not need direct repository access.
Best for: Content editors, reviewers, and other invited team members.
Flow:
- Click Sign in with Google on the login page
- Google redirects you to authorize the Contentrain app
- Studio matches your email to an existing invitation
- You are redirected to your workspace
WARNING
Google OAuth is available only for users who have been invited to a workspace. You cannot create a new account with Google — the workspace owner must invite you first.
Magic Link
Magic Link is a passwordless email-based authentication method. Studio sends a one-time login link to your email address.
Best for: Team members who prefer not to use OAuth providers, or organizations that restrict third-party OAuth.
Flow:
- Click Sign in with email on the login page
- Enter your email address
- Click Send magic link
- Check your inbox and click the link
- Studio verifies the token and signs you in
After the magic link is sent, you will see a confirmation screen with the email address. You can click Try a different email to start over.
TIP
Magic links expire after a short period. If your link has expired, return to the login page and request a new one.
When to Use Which Method
| Method | Who | Why |
|---|---|---|
| GitHub OAuth | Workspace owners, developers | Required for repository access and GitHub App installation |
| Google OAuth | Invited team members | Quick sign-in with existing Google account |
| Magic Link | Invited team members | Passwordless, no third-party OAuth dependency |
Auth Callback
After any OAuth flow (GitHub or Google), Studio redirects to /auth/callback. This page:
- Validates the OAuth state parameter (CSRF protection)
- Exchanges the authorization code for a session
- Creates or updates the user profile
- Redirects to the workspace dashboard
You do not need to interact with the callback page directly — it handles the handoff automatically.
Session Management
Studio uses encrypted, HTTP-only cookies for session management:
- Encryption: AES-256 encrypted session data
- Storage: Server-side
httpOnlycookie (not accessible to JavaScript) - Auto-refresh: Sessions are automatically refreshed on activity
- Expiration: Sessions expire after a period of inactivity
Signing Out
You can sign out at any time by clicking your avatar in the sidebar and selecting Sign out. This clears your session cookie and redirects you to the login page.
Account Deletion
Studio supports full account deletion from the user settings page at /settings:
- Navigate to Settings from the sidebar
- Open the Account tab
- In the Danger Zone, click Delete account
- Confirm by typing your email address
WARNING
Account deletion is permanent. All your data, including workspace ownership, is removed. If you own workspaces with other members, transfer ownership before deleting your account.
Security Considerations
- CSRF protection: OAuth flows use a
stateparameter stored insessionStorageand validated on callback - No password storage: Studio never stores passwords — all authentication is delegated to OAuth providers or magic link tokens
- Provider isolation: Authentication logic is contained within the auth provider adapter. No Supabase-specific code exists outside the provider layer
- Role enforcement: Authentication identity is separate from authorization. Roles and permissions are enforced at the API level regardless of sign-in method
Next Steps
- Workspaces — Create and manage your team workspaces
- Team Management — Invite members and assign roles
- Quickstart — Get started with your first project