Signing in
How sign-in, invitations, MFA, and recovery work.
Unphish v2 uses Authentik as the single identity provider in every environment. The application stores no passwords. Sign-in is OIDC; logout returns you to the Unphish sign-in page.
First-time sign-in (after invitation)
- Your administrator sends you a team invitation. You receive an email from Postmark on behalf of Unphish with a one-time link.
- Click the link. The page validates the token (14-day expiry by default) and routes you to Authentik.
- Authentik prompts you to create a password and, if your organization requires it, set up MFA.
- After enrollment, Authentik returns you to the Unphish OIDC callback (
/api/auth/callback/authentik). - The callback creates your local session and routes you to the dashboard appropriate for your role.
If you are a returning user invited to a new organization, the invite acceptance maps your existing Authentik subject to the new membership. You sign in normally and the new organization appears in your scope picker.
What you should not see
- You should not be asked to create a "neon_auth" account. That is the legacy auth path and it is being retired.
- You should not see a generic Authentik-only login screen in production. Sign-in is branded as Unphish.
- You should not be silently logged in as someone else. If you click an invitation while signed in as a different user, the system will prompt you to sign out first.
Returning sign-in
- Visit your environment's sign-in URL (
/signinonunphish-staging.engram.orgor production). - Authentik handles credentials and MFA.
- You return to the Unphish app already authenticated.
Sessions are signed cookies, HttpOnly, and Secure in production. They expire on a configured schedule; you can sign out manually from the user menu.
Recovery
Password and MFA recovery are owned by Authentik, not by Unphish. The "Forgot password" link routes you to the configured Authentik recovery flow (AUTH_AUTHENTIK_RECOVERY_URL), which sends a recovery email and walks you through reset.
If you have lost MFA access, contact your organization admin. Admins can request an MFA reset through the Hub support flow, which is audited.
SSO
If your organization has a verified SSO domain configured, your sign-in is federated through your identity provider (Auth0, Okta, Microsoft Entra ID, Google, etc.). Authentik manages the federation; you do not need an Unphish-specific password.
What v2 does not migrate from v1
These are deliberately not carried over:
- v1 Django passwords. All users get an Authentik enrollment email after migration.
- v1 TOTP secrets. Re-enroll MFA in Authentik.
- v1 sessions. You will be signed out at cutover and need to sign in again.
Troubleshooting
| Symptom | Likely cause | Fix |
|---|---|---|
| "Invitation expired" | Token is older than 14 days. | Ask your admin to resend the invitation. |
| "Invitation already accepted" | Someone (possibly you) already used this token. | Sign in normally. If you cannot, contact your admin. |
| Loop back to sign-in after auth | Cookie blocked or NEXT_PUBLIC_APP_URL mismatch. | Confirm you are on the correct host; check third-party cookie settings. |
| "Authentication unavailable" | Authentik is down or env vars are missing. | Wait and retry; if persistent, escalate to platform operators. v2 has no fallback auth path; this is intentional. |