Skip to main content

Security policy

Tenant-wide security policy. Applies to every login, every session, every API call against this tenant.

Network policy
IP allowlist takes precedence: if non-empty, only matching CIDRs may sign in. Denylist always blocks.

Empty = allow from anywhere (subject to denylist).

Password policy
Enforced at signup, password change, and password reset.
Session policy
Affects new sessions only; existing sessions keep their original lifetime.

Go duration string. Examples: 24h, 720h (30 days), 2160h (90 days).

MFA enforcement
How aggressively users are pushed toward enrolling a second factor.

Note: this policy isn't enforced at login yet — only the separate risk-based step-up (adaptive MFA) applies today.

Unsaved changes

Workspace
Directory
Authentication
Authorization
Security
Developer
Administration
↑↓ navigate · select · esc close75 results