Document Stack
Document Stack
Docs

SSO & Authentication

Configure Single Sign-On with Google, GitHub, or SAML for your organization.

Authentication Methods

Document Stack supports multiple ways to authenticate:

  • Email & password — Traditional email-based login
  • Email OTP — Passwordless login via one-time code
  • Google OAuth — Sign in with Google
  • GitHub OAuth — Sign in with GitHub
  • SAML SSO — Enterprise single sign-on (Enterprise plan)

Social Login (Google & GitHub)

Social login is available to all users on all plans. When a user signs in with Google or GitHub for the first time, a Document Stack account is automatically created linked to their social profile.

  • Profile name and avatar are imported from the social provider
  • Email is verified automatically
  • Users can link additional social accounts from Account Settings
Users who signed up with email can connect their Google or GitHub account later for faster sign-in. Go to Account Settings → Connected Accounts.

Passwordless Email OTP

Users can sign in without a password by requesting a one-time verification code sent to their email:

  1. On the sign-in page, click Sign in with Email
  2. Enter your email address
  3. Check your inbox for a 6-digit verification code
  4. Enter the code to sign in

OTP codes expire after 10 minutes. Each code can only be used once.

SAML SSO (Enterprise)

Enterprise organizations can configure SAML-based Single Sign-On to enforce authentication through their identity provider (IdP).

Supported Identity Providers

  • Okta
  • Azure Active Directory (Microsoft Entra ID)
  • Google Workspace
  • OneLogin
  • Any SAML 2.0 compliant IdP

Setting Up SAML

  1. Go to Settings → Security → SSO Configuration
  2. Click Configure SAML
  3. Enter your IdP's metadata URL or upload the metadata XML
  4. Copy the Document Stack ACS URL and Entity ID into your IdP
  5. Test the connection
  6. Enable SAML for your organization

SAML Configuration Values

text
ACS URL:    https://api.documentstack.dev/api/auth/saml/callback
Entity ID:  https://api.documentstack.dev/api/auth/saml/metadata
Name ID:    Email Address (urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress)

Enforce SSO

When you enable SAML SSO enforcement, all team members must sign in through your identity provider. Email/password and social logins are disabled for the organization.

Session Management

Document Stack sessions are managed securely:

  • Sessions expire after 30 days of inactivity
  • Active sessions are refreshed automatically
  • Users can view and revoke sessions from Account Settings
  • Organization admins can revoke all sessions for a member

Security Best Practices

  • Enable SSO for your organization to centralize authentication
  • Use strong, unique passwords if using email-based login
  • Regularly review active sessions and revoke unused ones
  • Remove team members promptly when they leave your organization

Next Steps

Previous

Account Settings

Next

Editor Overview