Authentication & Access Control
Contract-as-Code uses Firebase Authentication for identity management and role-based access control for authorization.
Authentication
Sign-up and login
- Email and password authentication
- Magic link (passwordless) login
- Google OAuth (optional, configurable per organisation)
Multi-factor authentication (MFA)
MFA is supported via:
- Time-based one-time passwords (TOTP) — Google Authenticator, Authy, 1Password
- SMS verification (fallback)
Enterprise requirement
Enterprise organisations can enforce MFA for all users at the organisation level via Settings → Security → Require MFA.
Session management
| Setting | Default | Configurable |
|---|---|---|
| Session duration | 24 hours | ✓ |
| Idle timeout | 2 hours | ✓ |
| Concurrent sessions | Unlimited | ✓ |
| Force logout all sessions | Available | — |
SSO (Enterprise)
Enterprise customers can configure SAML 2.0 or OIDC-based single sign-on:
| Provider | Protocol | Status |
|---|---|---|
| Microsoft Entra ID (Azure AD) | SAML 2.0 | Supported |
| Okta | SAML 2.0 / OIDC | Supported |
| Google Workspace | OIDC | Supported |
| OneLogin | SAML 2.0 | Supported |
| Custom SAML/OIDC | SAML 2.0 / OIDC | Supported |
To configure SSO, contact support@contract-as-code.com with your IdP metadata URL.
Role-based access control
Roles
| Role | Description |
|---|---|
| Owner | Full access, including billing and organisation deletion |
| Admin | Full access except billing and ownership transfer |
| Reviewer | Review rule candidates, run validation, export reports |
| Viewer | Read-only access to contracts, findings, and reports |
Permissions matrix
| Action | Owner | Admin | Reviewer | Viewer |
|---|---|---|---|---|
| Upload contracts | ✓ | ✓ | ✗ | ✗ |
| Review rule candidates | ✓ | ✓ | ✓ | ✗ |
| Run validation | ✓ | ✓ | ✓ | ✗ |
| View findings | ✓ | ✓ | ✓ | ✓ |
| Export reports | ✓ | ✓ | ✓ | ✓ |
| Invite team members | ✓ | ✓ | ✗ | ✗ |
| Manage webhooks | ✓ | ✓ | ✗ | ✗ |
| Manage billing | ✓ | ✗ | ✗ | ✗ |
| Delete organisation | ✓ | ✗ | ✗ | ✗ |
Inviting team members
Navigate to Settings → Team → Invite.
- Enter the email address
- Select a role
- Click Send invite
The invitee receives an email with a link to join your organisation. Invites expire after 7 days.
Removing team members
Admins and Owners can remove team members from Settings → Team. Removing a member:
- Revokes their access immediately
- Does not delete their actions from the audit trail
- Does not affect findings or reports they generated
Audit trail
All authentication events are logged:
| Event | Logged data |
|---|---|
| Login | User, IP, timestamp, method (password/magic link/SSO) |
| Failed login | Email attempted, IP, timestamp |
| MFA challenge | User, success/failure, timestamp |
| Password change | User, timestamp |
| Role change | User changed, by whom, old role, new role |
| Team member invited | Email, role, invited by |
| Team member removed | User, removed by |
Authentication logs are retained for 7 years.
API authentication
API requests use Bearer token authentication:
Authorization: Bearer <api_key>API keys are scoped to a specific organisation and role. Generate API keys from Settings → API Keys.
| Scope | Description |
|---|---|
read | Read-only access to contracts, findings, and reports |
write | Upload contracts, run validation, manage rules |
admin | Full API access including team and webhook management |
API keys do not expire but can be revoked at any time.