Skip to content

How do I log in?

Requires Basic

Open the login page, enter your email address and password, and click “Log in”. If two-factor authentication is active for your account, you’ll also be asked for the 6-digit authenticator code. If single sign-on (SSO) is configured for your email address, a “Sign in with …” button appears automatically once you enter the address.

You need an active user account — either created by an administrator (in which case you’ll receive an invitation email) or self-registered. If your organization requires 2FA, you’ll also need a configured authenticator device (see Set up 2FA).

  1. Open the login page. Open Notory in your browser. You’ll see the heading “Welcome back” and, below it, two fields for email address and password.

    The login form in its initial state.
  2. Enter your email address. As soon as you leave the field, Notory checks in the background whether an SSO provider is configured for that address. If so, a divider “Or continue with” appears below the form, followed by a “Sign in with …” button (for example, your company login). Clicking it takes you to the identity provider — the password field and the next step are then skipped.

    If SSO is configured for the email address, a 'Sign in with' button appears automatically.
  3. Enter your password and log in. Enter your password. You can optionally enable “Remember me” to stay logged in on this device. If self-service reset is enabled, you’ll also find the “Forgot password?” link here. Click “Log in”.

  4. Two-factor code (if active). If your account has 2FA, the “Authenticator code” field now appears. Enter the current 6-digit code from your authenticator app and click “Log in” again. You’ll then land on the Dashboard.

    With 2FA active, Notory asks for the 6-digit code from your authenticator app.
  • Session via HttpOnly cookies: After login, Notory keeps the session in HttpOnly cookies (it_access, ~15 minutes by default; it_refresh, ~7 days), which are refreshed automatically. The tokens aren’t readable by JavaScript (protection against XSS). Write actions additionally carry the CSRF cookie it_csrf as an X-CSRF-Token header (double-submit).
  • Rate limit: The login endpoints are limited per IP address (default 60 requests per minute) to slow down brute-force attempts.
  • Account lockout: After 5 failed attempts, the account is locked for 15 minutes.
  • Audit log: Every successful and every failed login attempt is logged (with IP address); last_login is updated.
  • Enforced 2FA: If your instance or tenant requires 2FA and you haven’t set it up yet, you can still log in, but you’re immediately taken to 2FA setup before you can use the app.
  • Setting a password: If an administrator set your password (onboarding), Notory prompts you to choose your own password on first login.
  • SSO: Email discovery determines the matching tenant server-side; the actual login happens at the identity provider, and Notory then sets the session.