How do I log in?
Quick answer
Section titled “Quick answer”Open the login page, enter your email address and password, and click “Log in”. If two-factor authentication is active for your account, you’ll also be asked for the 6-digit authenticator code. If single sign-on (SSO) is configured for your email address, a “Sign in with …” button appears automatically once you enter the address.
Prerequisites
Section titled “Prerequisites”You need an active user account — either created by an administrator (in which case you’ll receive an invitation email) or self-registered. If your organization requires 2FA, you’ll also need a configured authenticator device (see Set up 2FA).
Instructions
Section titled “Instructions”-
Open the login page. Open Notory in your browser. You’ll see the heading “Welcome back” and, below it, two fields for email address and password.
Screenshot pendingerste-schritte-login-01Empty login form with the fields Email address and Password and the 'Log in' buttonThe login form in its initial state. -
Enter your email address. As soon as you leave the field, Notory checks in the background whether an SSO provider is configured for that address. If so, a divider “Or continue with” appears below the form, followed by a “Sign in with …” button (for example, your company login). Clicking it takes you to the identity provider — the password field and the next step are then skipped.
Screenshot pendingerste-schritte-login-02Login form with the email address and an additional 'Sign in with' button after SSO detectionIf SSO is configured for the email address, a 'Sign in with' button appears automatically. -
Enter your password and log in. Enter your password. You can optionally enable “Remember me” to stay logged in on this device. If self-service reset is enabled, you’ll also find the “Forgot password?” link here. Click “Log in”.
-
Two-factor code (if active). If your account has 2FA, the “Authenticator code” field now appears. Enter the current 6-digit code from your authenticator app and click “Log in” again. You’ll then land on the Dashboard.
Screenshot pendingerste-schritte-login-03Login form with an additional 'Authenticator code' field for the two-factor promptWith 2FA active, Notory asks for the 6-digit code from your authenticator app.
Logging in is a POST to /api/v1/auth/login. On success, the server sets
the session as HttpOnly cookies (it_access, it_refresh) plus a
readable CSRF cookie (it_csrf) and responds with the logged-in user. For
purely programmatic access, an API token (bearer) is a better fit
than the cookie session — see API Tokens.
curl -X POST https://demo.notory.io/api/v1/auth/login \ -H "Content-Type: application/json" \ -c cookies.txt \ -d '{ "email": "max.mustermann@example.com", "password": "dein-passwort", "totp_code": "123456" }'You only include totp_code if your account uses 2FA. On success, the API
responds with HTTP 200 and the user object:
{ "id": "b7c3a1e2-4f5d-4a90-8c11-2d6e9f0a1b23", "email": "max.mustermann@example.com", "first_name": "Max", "last_name": "Mustermann", "role": "asset_manager", "tenant_id": "3d9b0c12-4e5a-4f88-b1c7-2a9e6d4f0011", "is_active": true, "totp_enabled": true, "must_setup_2fa": false, "must_change_password": false, "language": "de", "last_login": "2026-07-08T09:14:22Z"}Possible errors: 428 (Precondition Required — 2FA is active but
totp_code is missing; supply the code and resend), 401 (wrong
email/password or wrong code), 403 (account disabled or temporarily
locked after too many failed attempts), 429 (rate limit reached).
Which SSO providers apply to an email address is determined by email discovery:
curl -X POST https://demo.notory.io/api/v1/auth/sso/discover \ -H "Content-Type: application/json" \ -d '{ "email": "max.mustermann@example.com" }'{ "providers": [ { "id": "1a2b3c4d", "provider_name": "Firmen-Login (Azure AD)", "protocol": "oidc", "start_url": "/api/v1/auth/sso/1a2b3c4d/start" } ]}The browser then follows the start_url; the server redirects to the
identity provider and, after a successful login, sets the same session
cookies.
What happens behind the scenes?
Section titled “What happens behind the scenes?”- Session via HttpOnly cookies: After login, Notory keeps the session in
HttpOnly cookies (
it_access, ~15 minutes by default;it_refresh, ~7 days), which are refreshed automatically. The tokens aren’t readable by JavaScript (protection against XSS). Write actions additionally carry the CSRF cookieit_csrfas anX-CSRF-Tokenheader (double-submit). - Rate limit: The login endpoints are limited per IP address (default 60 requests per minute) to slow down brute-force attempts.
- Account lockout: After 5 failed attempts, the account is locked for 15 minutes.
- Audit log: Every successful and every failed login attempt is logged
(with IP address);
last_loginis updated. - Enforced 2FA: If your instance or tenant requires 2FA and you haven’t set it up yet, you can still log in, but you’re immediately taken to 2FA setup before you can use the app.
- Setting a password: If an administrator set your password (onboarding), Notory prompts you to choose your own password on first login.
- SSO: Email discovery determines the matching tenant server-side; the actual login happens at the identity provider, and Notory then sets the session.
Related topics
Section titled “Related topics”- Reset your password
- Set up 2FA
- Manage your profile
- SSO / OIDC — single sign-on per tenant, email discovery
- Users & Roles — who creates accounts?
- API Getting Started — authentication, base URL, error codes