Authentication

How to sign in to varsafe and secure your account.

Login Methods

varsafe supports multiple ways to sign in:

Method	Description
Email/password	Standard email and password login
Google OAuth	Sign in with your Google account
GitHub OAuth	Sign in with your GitHub account
GitLab OAuth	Sign in with your GitLab account
Bitbucket OAuth	Sign in with your Bitbucket account
Passkey	Passwordless login with biometrics or security key
SSO	SAML 2.0 or OIDC through your company's IdP. See Single Sign-On

OAuth Login

Click the provider button on the login page. You'll be redirected to the provider to authorize varsafe, then returned with a session created automatically. If an account with your email already exists, the OAuth identity is linked to it.

---

Passkeys

Passkeys provide passwordless, phishing-resistant authentication using biometrics (Touch ID, Face ID) or hardware security keys (YubiKey).

Adding a Passkey

1. Navigate to Profile → Security
2. Click Add passkey
3. Enter a name (e.g., "MacBook Pro Touch ID", "YubiKey 5")
4. Follow your browser's WebAuthn prompt
5. Confirm with biometrics or security key tap

You can register multiple passkeys for redundancy.

Passkey-Only Mode

Passkey-only mode disables password login entirely, requiring a passkey for every sign-in. This is the strongest protection against phishing and credential theft.

To enable:

1. Register at least 2 passkeys (for recovery)
2. Go to Profile → Security
3. Toggle Passkey-only mode on

To disable:

1. Go to Profile → Security
2. Toggle Passkey-only mode off
3. Enter your password to confirm

WARNING

With passkey-only mode enabled, password login returns an error. Make sure you have at least two working passkeys before enabling.

Removing a Passkey

1. Go to Profile → Security
2. Find the passkey in the list
3. Click Remove

---

Two-Factor Authentication (2FA)

Add a second layer of protection with TOTP (Time-based One-Time Password).

Enable 2FA

1. Go to Profile → Security
2. Click Enable 2FA
3. Enter your password
4. Scan the QR code with an authenticator app (Google Authenticator, Authy, 1Password, etc.)
5. Enter the 6-digit verification code
6. Save your backup codes — store them somewhere safe

Using 2FA

After entering your email and password, you'll be prompted for a 6-digit code from your authenticator app. Codes rotate every 30 seconds.

Backup Codes

Backup codes are single-use codes for when you lose access to your authenticator app. Each code can only be used once. Store them in a password manager or secure location.

Disable 2FA

1. Go to Profile → Security
2. Click Disable 2FA
3. Enter your password and a valid TOTP code to confirm

---

Device Trust

When you sign in from a new device without 2FA enabled, varsafe sends a one-time verification code to your email. Once verified, the device is marked as trusted and won't require email verification again.

How It Works

1. You sign in with email/password from an unrecognized device
2. varsafe sends a one-time code to your email
3. Enter the code to complete sign-in
4. The device is automatically trusted for future logins

Device trust is skipped for:

• Passkey login — passkeys are already device-bound
• OAuth login — the provider handles device verification
• First login after registration — the device used to register is trusted automatically

Managing Trusted Devices

1. Go to Profile → Security → Trusted Devices
2. See all trusted devices with browser and OS info
3. Click Remove next to a device to untrust it
4. Click Remove all to untrust every device

Removing a trusted device means the next login from that device will require email verification again.

---

Session Management

Viewing Sessions

1. Go to Profile → Security → Active Sessions
2. See all active sessions with:
   • Device and browser info
   • IP address
   • Last active time
   • Whether it's the current session

Revoking Sessions

• Click Revoke next to any session to end it immediately
• Click Revoke all other sessions to keep only your current session

Revocation is instant — the revoked session cannot make any further requests.

Session Limits

Each plan has a maximum number of concurrent sessions:

Plan	Max Sessions
Developer	5
Team	Unlimited

When you hit the session limit, you'll be prompted to revoke an existing session before signing in.

Session Properties

• Duration — Sessions last 30 days with rolling renewal
• Renewal — Activity within 24 hours of the last update extends the session
• Revocation — Changing your password revokes all sessions

---

CLI Authentication

The CLI supports three authentication methods:

Browser Login (default)

varsafe login

Opens your browser to complete login. The CLI receives a session token after authentication.

Email/Password

varsafe login --email you@example.com

Prompts for your password in the terminal. If 2FA is enabled, prompts for the TOTP code as well.

API Token

For CI/CD and automation, use an API token. There are several ways to pass a token securely — never pass it as a plain CLI argument as it leaks into shell history.

Secure prompt (recommended for interactive use)

varsafe login -T
# or
varsafe login --token-prompt

Prompts for the token with masked input — nothing is saved to shell history.

Environment variable (recommended for CI/CD)

VARSAFE_TOKEN=vs_at_xxx varsafe login

The token lives only in the process environment, not in history. In CI pipelines, inject the token from your CI secrets store:

# GitLab CI example
deploy:
  script:
    - VARSAFE_TOKEN=$VARSAFE_API_TOKEN varsafe login
    - varsafe run -- npm start

Stdin pipe

echo "$VARSAFE_TOKEN" | varsafe login -t -
# or from a file
varsafe login -t - < /dev/shm/token.txt

The - argument tells the CLI to read the token from stdin.

Direct argument (not recommended)

varsafe login -t vs_at_xxxxxxxxxxxxx

WARNING

Passing the token directly as an argument exposes it in shell history, process listings (ps aux), and potentially log files. Prefer one of the methods above.

Headless use without login

For one-off commands, skip varsafe login entirely and set the env var:

export VARSAFE_API_TOKEN=vs_at_xxxxxxxxxxxxx
varsafe run -- npm run dev

See API Tokens for creating and managing tokens.

---

Password Reset

1. Click Forgot password? on the login page
2. Enter your email address
3. Check your email for a reset link (valid for 1 hour)
4. Click the link and set a new password

INFO

Password reset revokes all existing sessions. You'll need to sign in again on all devices.