ForjioHuudisIdentityPlugipayPaymentsCatentioAgentsStorlaunchE-commerceFulkrumaFulfilmentRiplloMarketingLinkSnapShort URLsPawpadoGPU streaming
Catentio Docs
⌘K

Sign in

Catentio uses Huudis SSO. Signing in is one click on catent.io followed by Huudis's standard authentication flow. The portal redirects you to Huudis, Huudis authenticates you, Huudis redirects you back, and the portal verifies you against the v1 single-user allowlist.

The whole flow takes about ten seconds if you're already signed into Huudis, or thirty if you need to type a password.

You won't be able to sign in unless you're the configured single user. See the Authentication overview for the gate. If you hit forbidden_user, that's the cause — not a transient error.

When to use this

Use the standard sign-in flow when:

  • You're opening the Catentio portal in a browser for the first time on a new device.
  • Your session cookie has expired (after 7 days of inactivity).
  • You explicitly signed out and want to come back in.

For automation, you don't want this flow — use API authentication with a static key, or the CLI's device flow.

The flow

  1. Visit catent.io.
  2. Click "Log in".
  3. Authenticate with Huudis — email + password, Google, or Apple.
  4. You land on /dashboard.

Step-by-step

1. Visit catent.io

Go to catent.io. The landing page shows the marketing site. Click Log in in the top-right.

(If you go directly to a /dashboard/* URL and you're not signed in, the portal will redirect you to /login automatically and bounce you back to the original URL once you authenticate. You don't need to remember the page you wanted.)

2. Click Log in

You land on catent.io/login. The page shows two options:

  • An email + password form bound to Huudis.
  • Optionally Continue with Google and Continue with Apple — these buttons only render if the Huudis instance has the corresponding providers configured. Catentio probes Huudis on page load (/.well-known/oidc-providers) and conditionally renders them.

Submitting the form (or clicking a social button) starts the OIDC flow: the portal calls /api/v1/auth/huudis/start, which generates a PKCE pair and redirects to huudis.com/api/v1/oidc/authorize.

3. Authenticate with Huudis

You're on huudis.com now. The page asks for your email and password (or shows the provider's own consent screen if you went through Google / Apple).

If Huudis already has an active session for you — e.g., you signed into Plugipay earlier today — this step is silent. You don't see Huudis at all; the OIDC flow auto-completes and you're back on Catentio.

Otherwise: enter credentials, submit, and Huudis redirects you back.

4. The callback

The browser arrives at catent.io/callback?code=…&state=…. The callback:

  1. Reads the PKCE cookie set in step 2.
  2. POSTs the code + verifier to Huudis's token endpoint.
  3. Decodes the access token's claims and checks sub === HUUDIS_ALLOWED_USER_ID.
  4. If matched, sets the catentio_session cookie and redirects to /dashboard.

If the gate rejects you, the redirect goes to /login?error=forbidden_user instead.

5. The dashboard

You land on /dashboard. The top-left shows your active workspace; the sidebar lists every section (Agents, Runs, Projects, Tools, Skills, Memory, Heartbeats, Integrations, API keys, Webhooks, Cost, Events, Feature flags, Output destinations, Files, System health, Live, Workspaces, Settings).

From here, see Portal → Tour to find your way around.

Programmatic sign-in (CLI / scripts)

The portal cookie flow is browser-only. If you want a non-browser session — the CLI or an interactive script — use OIDC device flow instead:

catentio-saas auth login

The CLI prints a verification URL + code, opens your browser, and polls Huudis for the token. The flow uses your same Huudis identity (and goes through the same single-user gate), but the credentials are stored at ~/.catentio-saas/credentials rather than in a browser cookie.

See API authentication for the underlying protocol and how to wire device flow into your own code via the SDKs.

Common errors

forbidden_user

You're a valid Huudis user, but not the one Catentio's deployment is configured for. There's no client-side fix — either change HUUDIS_ALLOWED_USER_ID server-side, or contact whoever runs the deployment.

invalid_state

The PKCE state didn't match between authorization and callback. Usually caused by:

  • A stale tab where the original PKCE cookie expired.
  • Opening multiple sign-in flows in parallel.
  • Clearing cookies mid-flow.

Start over by going back to catent.io/login.

token_exchange_failed

The portal couldn't exchange the code at Huudis. Either Huudis is having a bad day (rare) or your client config is wrong (rarer once the deployment is live). Refresh and try again; if it persists, check the Huudis status page.

no_session_cookie

You're hitting a portal API but your session cookie isn't present. Sign in again at /login.

Next