Auth
Two surfaces. Two auth models. Both sit on top of Supabase Auth.
Agency users
- Email + password.
- 2FA via TOTP — required for Owners, optional for Members.
- 10 recovery codes generated at 2FA setup; shown once.
- Sessions: 14 days, refresh-rotated.
- Revocable at
Settings → Sessionsper device. - Password reset: standard email link, 60-minute expiry, single-use.
Client portal users
- Magic links only — no passwords.
- Links: 24-hour expiry, single-use.
- Sessions: 7 days, refreshable.
- Per-client roles — see Customer portal.
CLI tokens
- Created via
caddi login— paired with a one-time code from the dashboard. - Scoped to a single user and agency.
- Stored at
~/.caddi/config.jsonwith file-mode0600. - Revocable individually at
Settings → CLI tokens.
Provider tokens
GitHub App, Vercel OAuth/PAT, and Cloudflare API tokens are stored in Supabase Vault with envelope encryption (AES-256). The CLI and dashboard never display secret tokens after creation.
We do not support SAML SSO on Pro today. It’s on the roadmap for the enterprise tier; if you need it, email
[email protected].Rate limits and brute force
- Sign-in: 5 attempts / 15 minutes / IP. Hit it and you get a 5-minute cool-off.
- Magic link request: 3 / 5 minutes / email.
- 2FA codes: 5 attempts / login session.