Authentication & Team Management
LogPulse supports multiple authentication methods to fit your organization's security requirements. Users can sign in with email and password, OAuth social login (Google and GitHub), or API keys for programmatic access.
Access control is managed through a role-based system with four levels: Owner, Admin, Member, and Viewer. Organizations provide multi-tenant isolation for companies managing multiple teams or products.
| Auth Method | Use Case | MFA Support |
|---|---|---|
| Email & Password | Individual accounts and small teams | Not yet available |
| OAuth (Google) | Teams using Google Workspace for identity | Delegated to Google |
| OAuth (GitHub) | Developer teams using GitHub for identity | Delegated to GitHub |
| API Keys | Programmatic access, CI/CD pipelines, agent configuration | N/A (key-based) |
Email & Password
Standard email and password authentication is available for all LogPulse accounts. New users create an account with an email address and password, then verify their email address via a confirmation link.
Password Requirements
Passwords must meet the following requirements:
| Requirement | Details |
|---|---|
| Minimum length | 12 characters |
| Character classes | At least one uppercase letter, one lowercase letter, and one number |
| Special characters | Recommended but not required |
| Breached password check | Passwords are checked against the HaveIBeenPwned database and rejected if found |
| Password history | Cannot reuse any of your last 10 passwords |
| Expiration | No forced expiration (per NIST SP 800-63B guidelines) |
Password Reset
To reset a forgotten password, click "Forgot password" on the login page. A password reset link is sent to the registered email address. The link expires after 1 hour and can only be used once.
SSO / SAML (Coming Soon)
When available, SAML SSO will support enterprise identity providers, automatic user provisioning and deprovisioning, attribute mapping, and group-based role assignment.
API Keys
API keys provide programmatic access to the LogPulse API. Each key is scoped to specific permissions and can be rotated or revoked at any time without affecting other keys.
Key Scopes
| Scope | Permissions | Use Case |
|---|---|---|
| ingest-only | POST /api/v1/logs, POST /api/v1/logs/batch | Vector agents, application logging, CI/CD pipelines |
| read-only | GET /api/v1/logs, GET /api/v1/search, GET /api/v1/alerts | Dashboards, monitoring integrations, read-only tooling |
| full-access | All API endpoints including management operations | Admin scripts, automation, infrastructure-as-code |
Creating and Managing Keys
To create an API key, navigate to Integrations, then HTTP API, then click Create API Key. Provide a name, select the scope, and optionally set an expiration date. The key is displayed once after creation and cannot be retrieved later.
lp_live_a1b2c3d4e5f6g7h8i9j0 (production key)
lp_test_a1b2c3d4e5f6g7h8i9j0 (test/staging key)Keys can be rotated by creating a new key, updating your configuration to use the new key, and then revoking the old key. LogPulse does not support in-place key rotation -- this two-step process ensures zero-downtime key changes.
Revoking Keys
To revoke a key, click the Revoke button on the Integrations → HTTP API page. Revocation takes effect immediately. Any requests using the revoked key will receive a 401 Unauthorized response. Revoked keys cannot be reinstated.
Team Management
Inviting Members
To invite a new team member, navigate to Settings, then Team. Click Invite Member, enter the user's email address, and select a role. The user receives an email invitation with a link to join the organization.
Invitations expire after 48 hours. If the user has not accepted the invitation, you can resend it from the pending invitations list.
Roles
LogPulse uses four predefined roles. Each user is assigned exactly one role within an organization. Roles cannot be customized, but the permissions they grant cover common access patterns.
| Role | Description |
|---|---|
| Owner | Full access to all features including billing, organization settings, and member management. Each organization must have at least one Owner. |
| Admin | Can manage alert rules, notification channels, dashboards, saved searches, and team members. Cannot access billing or delete the organization. |
| Member | Can search logs, write logs, create and update alerts, create and update dashboards, and manage ETL pipelines. Cannot manage team settings, API keys, or delete alerts. |
| Viewer | Read-only access to logs, dashboards, teams, and ETL pipelines. Cannot create or modify any resources. |
Role Permissions
The following table shows the complete permissions matrix for each role.
| Permission | Owner | Admin | Member | Viewer |
|---|---|---|---|---|
| Read logs | Yes | Yes | Yes | Yes |
| Write logs | Yes | Yes | Yes | No |
| Delete / export logs | Yes | Yes | No | No |
| Read dashboards | Yes | Yes | Yes | Yes |
| Create / update dashboards | Yes | Yes | Yes | No |
| Delete dashboards | Yes | Yes | No | No |
| Create / update alerts | Yes | Yes | Yes | No |
| Delete alerts | Yes | Yes | No | No |
| Create / read API keys | Yes | Yes | No | No |
| Revoke API keys | Yes | Yes | No | No |
| Read teams | Yes | Yes | Yes | Yes |
| Manage teams | Yes | Yes | No | No |
| Manage ETL pipelines | Yes | Yes | Yes | Read only |
| Invite / remove users | Yes | Yes | No | No |
| Change member roles | Yes | Yes | No | No |
| Manage organization settings | Yes | Yes | No | No |
| Manage billing | Yes | No | No | No |
Organizations
Creating Organizations
An organization is the top-level container for all LogPulse resources including logs, dashboards, alerts, and team members. When you sign up, a default organization is created automatically. You can create additional organizations from the organization switcher in the top navigation bar.
Each organization has its own billing, data storage, API keys, and team roster. Data is fully isolated between organizations -- there is no cross-organization log access. Each user can create up to 5 organizations, and each organization can have up to 50 members.
Switching Organizations
If you belong to multiple organizations, use the organization switcher in the top-left corner of the dashboard to move between them. Your role may differ across organizations (for example, Owner in one and Member in another).
Organization-Level Settings
Organization settings are accessible to Owners and include:
| Setting | Description |
|---|---|
| Organization name | Display name shown in the dashboard and notifications |
| Default timezone | Timezone used for dashboard displays and scheduled reports |
| Data retention policy | Default retention period for all indexes |
| IP allowlist | Restrict dashboard and API access to specific IP ranges |
| OAuth providers | Google and GitHub OAuth configuration |
| Billing plan | Current plan, usage, and payment method |
Audit Log
The audit log records all administrative and security-relevant actions performed within your organization. It provides a tamper-evident trail for compliance audits and security investigations.
The following events are recorded in the audit log:
| Category | Events |
|---|---|
| Authentication | Login success, login failure, password reset, OAuth login, email verification |
| Team Management | Member invited, member role changed, member removed, invitation resent, invitation revoked |
| API Keys | Key created, key revoked, key used (first use only) |
| Alert Rules | Rule created, rule updated, rule deleted, rule enabled/disabled |
| Dashboards | Dashboard created, dashboard deleted, dashboard shared |
| Organization | Settings updated, IP allowlist modified, plan changed |
Each audit log entry includes the timestamp, actor (user email or API key ID), action, resource affected, source IP address, and user agent. Audit logs are retained for 365 days regardless of your data retention plan.
{
"timestamp": "2026-03-21T14:32:10.000Z",
"actor": "[email protected]",
"action": "alert_rule.created",
"resource": "rule_high_error_rate",
"resource_type": "alert_rule",
"ip_address": "203.0.113.42",
"user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7)",
"details": {
"rule_name": "High Error Rate",
"severity": "warning",
"channels": ["ch_slack_ops"]
}
}Session Management
LogPulse session management provides controls for session duration, concurrent sessions, and forced logout.
| Setting | Default | Configurable |
|---|---|---|
| Session duration | 7 days | Configured via BETTER_AUTH_SECRET |
| Session update age | 24 hours | Session refreshed daily |
| Cookie cache | 5 minutes | Cookie validation caching period |
| Concurrent sessions | Unlimited | No limit enforced |
Sessions are managed by Better Auth and expire after 7 days. The session token is refreshed every 24 hours. Cookie validation is cached for 5 minutes to reduce database lookups. When a session expires, the user is redirected to the login page. Secure cookies are used automatically in production environments.
Security Best Practices
Follow these recommendations to secure your LogPulse organization:
Use OAuth social login where possible. Encourage team members to sign in using Google or GitHub OAuth, which delegates authentication security (including MFA) to the identity provider.
Rotate API keys regularly. Establish a key rotation schedule (recommended: every 90 days) and automate the rotation process where possible. Use separate keys for each service or environment to limit blast radius.
Apply the principle of least privilege. Assign users the minimum role required for their responsibilities. Use ingest-only API keys for logging agents and read-only keys for dashboards and monitoring tools.
Configure an IP allowlist. Restrict dashboard and API access to your organization's IP ranges. This prevents unauthorized access even if credentials are compromised.
Review the audit log regularly. Set up a monthly review of audit log entries for unusual patterns: failed login attempts, API key creation from unexpected IPs, or role changes.
Use OAuth for teams. Google and GitHub OAuth centralizes authentication and delegates credential management and MFA to the identity provider.
Social Login (OAuth)
LogPulse supports OAuth social login with Google and GitHub. Users can sign in with their existing Google or GitHub accounts without needing to create a separate LogPulse password.
Google OAuth
To enable Google sign-in, configure your Google OAuth credentials in the environment variables. Users with Google Workspace accounts can sign in directly.
GitHub OAuth
To enable GitHub sign-in, configure your GitHub OAuth App credentials. This is especially convenient for developer teams already using GitHub.