Authentication

All sign-in in Apivom Iris is handled by Apivom Key, the platform identity provider. Apivom Key is OAuth2 / OpenID Connect compatible. Iris never stores user passwords directly — credentials are validated by Apivom Key only.

1. You visit your tenant URL.
2. Iris redirects to Apivom Key (Authorization Code flow with PKCE).
3. You authenticate with email + password (and second factor, if enabled).
4. Apivom Key redirects back to Iris with an authorization code.
5. Iris exchanges the code for an access token and creates a server-side session.

Iris uses server-side sessions backed by Redis. The browser holds only an opaque session cookie (HTTP-only, Secure, SameSite=Lax). No access tokens are exposed to the browser. Sessions expire after a period of inactivity configured per tenant.

Multi-factor authentication (MFA) is enforced at the Apivom Key level. The platform supports TOTP authenticator apps (Google Authenticator, 1Password, Authy, etc.) and can be enabled per user or required organisation-wide. Administrators configure MFA policy in Apivom Key.

For programmatic access, see the API reference. API tokens are issued and revoked by your organisation administrator and are scoped to specific Iris resources.