Skip to main content

Authentication

Ever Teams supports multiple authentication methods, all powered by the Ever Gauzy API backend. This page covers the available auth flows, their implementation, and how they work together.

Authentication Methods

MethodDescriptionUse Case
Magic CodeEmail-based passwordless authenticationDefault login flow — no password needed
PasswordTraditional email + password loginUsers who prefer password-based auth
Social / OAuthGoogle, GitHub, Facebook, Twitter SSOSingle sign-on convenience
Forgot PasswordEmail-based password reset flowRecovering account access
Invite CodeTeam invitation via emailed codeJoining an existing team by invitation

Magic Code (Passwordless) Login

This is the default login flow. Users enter their email, receive a magic code, and enter it to authenticate — no password required.

Flow

Key Files

FilePurpose
app/[locale]/auth/passcode/page.tsxRoute entry point
core/components/pages/auth/passcode/page-component.tsxMain passcode UI component
core/hooks/auth/use-authentication-passcode.tsHook managing passcode auth state
core/services/client/api/auth/auth.service.tsAPI service (sendAuthCode, signInEmailConfirm)

Code Length

The magic code is 8 characters long. This is defined by the AUTH_CODE_LENGTH constant in core/constants/config/constants.tsx and used consistently across all auth components.

Password Login

Users enter their email and password to authenticate.

Flow

Key Files

FilePurpose
app/[locale]/auth/password/page.tsxRoute entry point
core/components/pages/auth/password/page-component.tsxLogin form with password toggle
core/hooks/auth/use-authentication-password.tsHook managing password auth state
core/services/client/api/auth/auth.service.tsAPI service (signInEmailPassword)

Forgot / Reset Password

When a user forgets their password, they can request a reset link via email. See the dedicated Forgot Password page for full details.

Quick Summary

  1. User clicks "Forgot Password?" on the password login page
  2. Enters their email on /auth/forgot-password
  3. API sends a reset email with a tokenized link
  4. User clicks the link, lands on /auth/reset-password?token=...
  5. Enters and confirms new password
  6. Password updated — redirect to login

Social / OAuth Login

Supports SSO via Google, GitHub, Facebook, and Twitter.

Flow

Key Files

FilePurpose
core/components/auth/social-logins-buttons.tsxSocial login button components
core/services/client/api/auth/auth.service.tsAPI service (signInEmailSocialLogin)

Registration / Sign Up

New users can create an account and optionally create their first team.

Flow

  1. User navigates to /auth/signup
  2. Enters name, email, and team name (optional)
  3. API creates the user account and team
  4. User is authenticated and redirected to dashboard

Key Files

FilePurpose
app/[locale]/auth/signup/page.tsxRoute entry point
core/services/client/api/auth/auth.service.tsAPI service (registerUserTeam)

Token Management

JWT Tokens

TokenPurposeStorage
Access TokenAuthenticates API requestsCookie (access-token)
Refresh TokenObtains new access tokensCookie (refresh-token)

Token Refresh Flow

Key Files

FilePurpose
core/services/client/api/auth/auth.service.tsrefreshToken() method
core/lib/helpers/cookies.tsToken cookie management

Workspace Selection

After authentication, if a user belongs to multiple workspaces or teams, they select which one to use. If only one workspace with one team exists, the app auto-redirects to the dashboard.

Key Files

FilePurpose
core/hooks/auth/use-workspace-analysis.tsAnalyzes workspace structure for auto-redirect
core/components/pages/auth/passcode/page-component.tsxWorkSpaceComponent

Auth Routes Summary

RouteDescription
/auth/passcodeMagic code (passwordless) login
/auth/passwordPassword login
/auth/signupRegistration
/auth/forgot-passwordRequest password reset
/auth/reset-passwordSet new password (from email link)
/auth/accept-inviteAccept team invitation
/auth/social-welcomePost-social-login welcome
/auth/workspaceWorkspace selector
/auth/errorAuth error page

Gauzy API Auth Endpoints

All authentication is powered by the Ever Gauzy API. These are the key endpoints:

EndpointMethodAuthDescription
/auth/signin.emailPOSTPublicSend magic code email
/auth/signin.email/confirmPOSTPublicConfirm magic code
/auth/signin.email.passwordPOSTPublicSign in with password
/auth/signin.provider.socialPOSTPublicSocial / OAuth login
/auth/signin.workspacePOSTPublicSign into workspace
/auth/request-passwordPOSTPublicRequest password reset email
/auth/reset-passwordPOSTPublicReset password with token
/auth/refresh-tokenPOSTPublicRefresh JWT tokens
/auth/registerPOSTPublicRegister new account
/auth/loginPOSTPublicLogin with code (mobile)
tip

All auth endpoints are public (no JWT required) and rate-limited (typically 3 requests per minute) to prevent abuse.

Environment Variables

Auth-related environment variables (set in apps/web/.env.local):

VariableDescription
GAUZY_API_SERVER_URLGauzy API base URL
NEXT_PUBLIC_GAUZY_API_SERVER_URLClient-side API URL
AUTH_SECRETNextAuth secret (32+ chars)
INVITE_CALLBACK_URLCallback URL for invitations
VERIFY_EMAIL_CALLBACK_URLCallback URL for email verification
GOOGLE_APP_CLIENT_IDGoogle OAuth client ID
GOOGLE_APP_CLIENT_SECRETGoogle OAuth client secret
GITHUB_APP_CLIENT_IDGitHub OAuth client ID
GITHUB_APP_CLIENT_SECRETGitHub OAuth client secret
FACEBOOK_APP_CLIENT_IDFacebook OAuth client ID
FACEBOOK_APP_CLIENT_SECRETFacebook OAuth client secret
TWITTER_APP_CLIENT_IDTwitter OAuth client ID
TWITTER_APP_CLIENT_SECRETTwitter OAuth client secret

Service Architecture

The auth service layer is located at core/services/client/api/auth/:

FileClass / ExportPurpose
auth.service.tsauthServiceMain auth operations
signin.service.tssigninServiceWorkspace sign-in specifics

The AuthService class extends APIService and provides methods for all auth operations, automatically routing calls to either the Gauzy API (direct) or the Next.js API proxy layer based on configuration.