Help / Auth Codens

Auth Codens

The unified identity layer for the Codens family. OAuth2 / OIDC provider, organization management, member invitations, SSO, API key issuance, and the machine-readable pricing.json.

Role

Auth Codens is the identity backplane for every other Codens product. A single account + set of credentials signs you into Red, Blue, Green, Purple, and Yellow.

OAuth2 / OIDC provider: Authorization Code + PKCE / Device Code Flow / Refresh Token.
SSO: Google / GitHub / Microsoft (Enterprise) social login.
Organization management: member invitations, roles, SCIM (Enterprise).
Machine-readable pricing.json: the canonical billing-plan definitions as an endpoint.

Sign up

Open https://auth.codens.ai/en/signup.
Sign up with email + password, or Google / GitHub SSO.
Verify your email, then enter an organization name.
Billing details can be added later from the billing page (not required during Free Trial).

New organizations receive a Free Trial of 30,000 credits (14 days). See Pricing.

Organization & member management

All resources and billing live inside an organization. Belong to multiple orgs, switch between them, and manage roles (Admin / Member) from Auth Codens.

Invite members: Auth Codens dashboard → Organization → Members → "Invite member".
Change role / remove: same screen.
Per-service org_id: SSO is shared, but Red / Blue / Green / Purple each issue independent organization_id UUIDs. MCP resolves them automatically via /auth/me; explicit values are not required.

Passing an organization_id from one service into another raises UNAUTHORIZED / ORG_NOT_FOUND. See Errors.

SSO configuration

Individual accounts can sign in via Google / GitHub social login. Business / Enterprise plans support SAML / OIDC SSO via Okta, Microsoft Entra ID, and other IdPs.

Organization → Security → SSO. Upload IdP metadata.
Optionally enable Just-in-Time provisioning to auto-create members on first sign-in.
Enterprise customers can use SCIM for automatic provisioning from the IdP.

API keys & agent capability tokens

Personal access tokens / API keys are available for CI jobs and backend integrations. For agents specifically, use the auth_agent tool to mint short-lived capability tokens.

// Mint an agent token via an existing user's API key
await tools.auth_agent({
  action: "signup",
  agent_name: "ci-bot",
  scopes: ["purple.workflow.create", "red.bug.read"]
});

Store the token in CI secrets and pass it as Authorization: Bearer ... when calling the REST API.

Handy endpoints

Purpose	URL
OIDC Discovery	https://api.auth.codens.ai/.well-known/openid-configuration
Pricing JSON (machine-readable)	https://api.auth.codens.ai/.well-known/pricing.json
Device authorization	POST `https://api.auth.codens.ai/oauth/device/authorize`
Token	POST `https://api.auth.codens.ai/oauth/token`
User info (auto-resolve org)	GET `https://api.auth.codens.ai/api/v1/auth/me`

Next steps

MCP setup

Device Code Flow login details

Error envelope

UNAUTHORIZED / JWT errors

Pricing

5 tiers and credit model