Authentication
SSO-based authentication with session management and instant revocation
LaserData Cloud uses session-based authentication for interactive users. Sessions provide instant revocation, immediate permission updates, and defense-in-depth security.
Sign-In Flow
Users authenticate via SSO through supported identity providers:
- GitHub
- Microsoft
- Click Sign In and choose your identity provider
- Authenticate with the provider
- A secure session is created and returned as a cookie
- You're redirected to the Console
No passwords are stored by LaserData Cloud. All identity verification is delegated to the SSO provider.
Session Security
Sessions are protected with multiple layers:
| Protection | What It Does |
|---|---|
| HttpOnly cookie | Prevents JavaScript from reading the session token |
| Secure flag | Cookie is only sent over HTTPS |
| SameSite policy | Prevents cross-site cookie sending |
| CSRF protection | Server-side token validation on all mutating requests |
| Encrypted storage | Session data is AES-encrypted at rest |
| Token hashing | Session tokens are stored as Blake3 hashes — the raw token is never persisted |
| Absolute lifetime | Sessions expire after a maximum time regardless of activity |
| Sliding expiry | Sessions also expire after a period of inactivity |
IP Binding (Optional)
Users can enable IP binding on their account, which locks sessions to the originating IP address and User-Agent. This is useful for administrators on stable networks but is opt-in since it may not work with VPNs or mobile networks.
Session Management
Revoke Sessions
You can revoke all active sessions at once from the Console or API. Revocation is instant — all session data is deleted server-side.
Session Limits
The platform enforces a maximum number of concurrent sessions per user. Exceeding the limit requires revoking existing sessions.
Programmatic Access
For CI/CD pipelines, CLIs, Terraform, and other programmatic access, use API Keys instead of interactive sessions. API keys use the same permission model and support IP allowlisting and expiry.