Skip to content

Sign in & first run

The Cloud Digit Console is reachable at the URL provided to you on account creation (typically a cloud.* subdomain under your organization's primary domain). Sign-in goes through Cloud Digit's Keycloak-backed identity provider, with four parallel paths:

Path When
Email + password Default for accounts that don't federate through an IdP
Google SSO If your IdP is Google Workspace, or you opted to link a Google account
GitHub SSO Useful for engineering / DevOps personas
Microsoft SSO If your IdP is Azure AD / Microsoft 365

Customer organizations can also be configured with SAML / OIDC federation against an enterprise IdP — covered in the upcoming Identity & access → SSO section.

The sign-in page

Cloud Digit sign-in page Sign-in page at the Cloud Digit Console. Left: brand panel. Right: credential form + SSO buttons.

The form has four interactive controls:

  • Email — the address associated with your Cloud Digit account (not necessarily the same as your corporate email — check your invite).
  • Password — your account password. The eye icon to the right reveals it (use that if you're typing into a phone with autocomplete).
  • Remember me — keeps you signed in across browser restarts (within the server-side session lifetime).
  • Sign In — submits the form.

Below the form:

  • Or sign in with — Google · GitHub · Microsoft. Clicking one redirects you to that provider's consent screen, then back to Cloud Digit.
  • Forgot Password? — email-driven reset flow. Only available for accounts that have a password (not for SSO-only accounts).
  • New user? Register — only relevant if your org has open self-service registration enabled; most regulated FI orgs disable it and onboard users via invite.

First-time sign-in

The first time you sign in, you'll go through:

  1. Credential acceptance — type your password or complete the SSO flow.
  2. MFA enrolment (mandatory for org Owner and Admin roles) — scan a QR code into an authenticator app (Authy, Google Authenticator, 1Password, etc.) and enter the 6-digit code.
  3. Identity provider consent (SSO only) — Google / GitHub / Microsoft asks whether to share your email + profile with Cloud Digit. Approve once; it doesn't re-prompt unless you revoke the link.
  4. Landing page — if you belong to a single organization, you land on its organization page with your project tiles. If you belong to more than one, you land on the multi-org picker first.

Organization landing page Organization landing — your organizations with their projects. Click any project tile to enter that project's Console.

MFA is mandatory for Owner and Admin

Cloud Digit enforces TOTP-based MFA for any account holding the Owner or Admin role on an organization. You cannot bypass MFA for these roles — by design. Member-level users may have MFA optional depending on org policy.

SSO sign-in

When you click a third-party SSO button:

  1. Cloud Digit redirects to the provider (accounts.google.com, github.com/login/oauth/..., or login.microsoftonline.com).
  2. The provider checks for an existing cookie. If valid, the page silently bounces back to Cloud Digit with an OIDC code.
  3. If no valid cookie, the provider shows its own sign-in page; complete it as usual.
  4. Cloud Digit's Keycloak validates the OIDC code and provisions a session.

The whole round trip is typically under 2 seconds when the provider cookie is valid; closer to 10–15 seconds the first time you sign in via SSO (provider may prompt for MFA on its side too).

Forgot password

  1. Click Forgot Password? on the sign-in form.
  2. Enter the email associated with your Cloud Digit account.
  3. Cloud Digit emails a password-reset link (sender: noreply at your Cloud Digit domain). Check spam if it doesn't arrive within 2 minutes.
  4. Click the link, set a new password, sign in.

The reset link is single-use and expires after 30 minutes. If it expires before you use it, start over.

Reset link not arriving?

The most common cause is that your account is configured for SSO-only — the Forgot Password flow is disabled because there's no password to reset. Check with your org admin; you may need to sign in via the SSO path instead.

Sign-out

Click your avatar in the top-right and choose Logout. You'll be returned to the sign-in page, and any local browser-cached tokens are cleared.

Closing the tab doesn't sign you out

Closing the browser tab leaves the server-side session alive (subject to the session-lifetime policy). Use Logout explicitly on shared computers.

Sessions, timeouts, and re-auth

Cloud Digit uses short-lived access tokens plus refresh tokens. In practice:

  • Access token refreshes silently as you click around — you won't notice.
  • Refresh token has a longer lifetime (typically 8 hours). When it expires, you're sent back to Keycloak for re-auth. If you signed in via SSO, the re-auth is usually silent (your IdP cookie is still valid).
  • Idle timeout — after extended inactivity, the session is invalidated server-side, and your next action triggers a redirect back to the sign-in page.

If you get unexpectedly bumped back to sign-in mid-session, your token simply expired — sign in again, you'll resume where you left off (the URL is preserved through the round trip).