Authentication Overview
Odeion supports several ways to sign in. All of them end in the same place: a server-side session bound to the device that logged in.
Login Methods
Section titled “Login Methods”| Method | Who uses it | Details |
|---|---|---|
| Username and password | Everyone | Default method. Accounts are created by invite. |
| Anyone, once an admin enables it | OAuth and SSO Providers | |
| Discord | Anyone, once an admin enables it | OAuth and SSO Providers |
| Apple | Anyone, once an admin enables it | Web flow plus native sign-in in the iOS app. OAuth and SSO Providers |
| Device link code | TV and mobile apps | Short code entered on a second device. Device Linking |
| API key | Scripts and integrations | Scoped, non-admin access. API Keys |
Registration is invite-only regardless of method: signing in with a new OAuth identity still requires an invite code to create the account.
Every user has one of four roles, in increasing privilege order: viewer, curator, mod, admin. Roles gate what a user can see and do across the web app and the API. See Users and Roles for the full permission matrix.
Sessions at a Glance
Section titled “Sessions at a Glance”A successful login creates a session identified by an opaque token with the ods_ prefix. Sessions record the device they were created on and remain valid until revoked, either by the user from their settings or by an admin. See Sessions and Tokens.
Protections
Section titled “Protections”Failed logins are rate limited per IP address and per username, and admins can lock individual accounts or disable logins server-wide. See Rate Limiting and Account Locking.