Authentication
SSO-based authentication with session management and instant revocation
LaserData Cloud uses session-based authentication for interactive users. Sessions provide instant revocation, immediate permission updates, and defense-in-depth security.
Sign-In Flow
- Click Sign In and choose your identity provider - Google, GitHub, or Microsoft
- Authenticate with the provider
- A secure session is created and you're redirected to the Console
No passwords are stored by LaserData Cloud. All identity verification is delegated to the SSO provider.
Session Security
Sessions are protected with multiple layers:
| Protection | What It Does |
|---|---|
| HttpOnly cookie | Prevents JavaScript from reading the session token |
| Secure flag | Cookie is only sent over HTTPS |
| SameSite policy | Prevents cross-site cookie sending |
| CSRF protection | Server-side token validation on all mutating requests |
| Encrypted storage | Session data is encrypted at rest |
| Token hashing | Raw session tokens are never persisted - only hashes are stored |
| Absolute lifetime | Sessions expire after a maximum time regardless of activity |
| Sliding expiry | Sessions also expire after a period of inactivity |
IP Binding (Optional)
Users can enable IP binding on their account, which locks sessions to the originating IP address and User-Agent. This is useful for administrators on stable networks but is opt-in since it may not work with VPNs or mobile networks.
Session Management
Revoke Sessions
You can revoke all active sessions at once from the Console or API. Revocation is instant - all session data is deleted server-side.
Session Limits
The platform enforces a maximum number of concurrent sessions per user. Exceeding the limit requires revoking existing sessions.
Programmatic Access
For CI/CD pipelines, CLIs, Terraform, and other programmatic access, use API Keys instead of interactive sessions. API keys use the same permission model and support IP allowlisting and expiry.