Skip to content

Authentication Overview

Odeion supports several ways to sign in. All of them end in the same place: a server-side session bound to the device that logged in.

MethodWho uses itDetails
Username and passwordEveryoneDefault method. Accounts are created by invite.
GoogleAnyone, once an admin enables itOAuth and SSO Providers
DiscordAnyone, once an admin enables itOAuth and SSO Providers
AppleAnyone, once an admin enables itWeb flow plus native sign-in in the iOS app. OAuth and SSO Providers
Device link codeTV and mobile appsShort code entered on a second device. Device Linking
API keyScripts and integrationsScoped, non-admin access. API Keys

Registration is invite-only regardless of method: signing in with a new OAuth identity still requires an invite code to create the account.

Every user has one of four roles, in increasing privilege order: viewer, curator, mod, admin. Roles gate what a user can see and do across the web app and the API. See Users and Roles for the full permission matrix.

A successful login creates a session identified by an opaque token with the ods_ prefix. Sessions record the device they were created on and remain valid until revoked, either by the user from their settings or by an admin. See Sessions and Tokens.

Failed logins are rate limited per IP address and per username, and admins can lock individual accounts or disable logins server-wide. See Rate Limiting and Account Locking.