User Authentication
ReArch supports different ways to sign in depending on how your organization has configured the platform. You do not need to choose or set up an authentication method yourself — your administrator has already selected one for the entire instance.
When you open ReArch, the login page automatically adapts to the method configured for your organization.
Sign-In Methods
Section titled “Sign-In Methods”Email and Password (Local)
Section titled “Email and Password (Local)”This is the simplest way to sign in. You create an account with your email, a username, and a password, then use those credentials to log in each time.
First-time setup — the initial administrator:
When ReArch starts for the very first time and no users exist yet, it automatically creates an administrator account using the ADMIN_EMAIL and ADMIN_PASSWORD values defined in the environment configuration. This is the first account on the platform — it is immediately active and has full administrator privileges, so the person who deploys ReArch can sign in right away and start managing the instance.
See Configuration for details on setting these values.
Once this initial administrator is signed in, they can activate other users, manage roles, and configure platform settings. All subsequent users go through the normal registration process below.
Getting started:
- Open your ReArch instance and click Register.
- Fill in your email, username, and password.
- Wait for an administrator to activate your account. You will not be able to sign in until your account is marked as active.
- Once activated, sign in with your email and password.
Changing your password: Go to your account settings page and use the password change form. Passwords must be between 8 and 128 characters.
Signup restrictions: Your administrator may have restricted who can register. For example, only email addresses from your company domain may be allowed, or self-registration may be disabled entirely. If you cannot register, contact your administrator.
Company Identity Provider (OAuth)
Section titled “Company Identity Provider (OAuth)”If your organization uses an identity provider like Google Workspace, Azure AD, or Okta, you may see a single Sign in button instead of email and password fields. Clicking it redirects you to your company’s login page.
Getting started:
- Open your ReArch instance and click Sign in.
- You are redirected to your company’s identity provider (e.g., Google, Microsoft).
- Authenticate with your company credentials.
- You are redirected back to ReArch. On your first sign-in, your account is created automatically.
- Wait for an administrator to activate your account before you can start using the platform.
You do not manage a separate password in ReArch. Your company credentials are all you need.
Keycloak
Section titled “Keycloak”Some organizations use Keycloak as a centralized login system. If this is the case, you will be redirected to a Keycloak login page when you open ReArch.
Getting started:
- Open your ReArch instance. You are automatically redirected to the Keycloak login page.
- Sign in with the credentials provided by your organization.
- You are redirected back to ReArch and can start working immediately — no manual activation is needed.
Sign in with other providers: Depending on your organization’s setup, the Keycloak login page may show additional sign-in options (such as “Sign in with PingID” or other company identity providers). Click the relevant option and follow the prompts.
With Keycloak, your roles and permissions are managed centrally by your organization. Any role changes made in Keycloak are reflected in ReArch automatically.
Account Statuses
Section titled “Account Statuses”Your account can be in one of three states:
| Status | What It Means |
|---|---|
| Active | You can sign in and use ReArch normally. |
| Pending verification | Your account has been created but an administrator has not activated it yet. You cannot sign in. |
| Suspended | An administrator has disabled your account. Contact your administrator if you believe this is an error. |
ReArch has two user roles:
| Role | What You Can Do |
|---|---|
| User | Create conversations, interact with AI agents, manage your profile, and review changes. |
| Admin | Everything a user can do, plus manage other users, change platform settings, and access administration features. |
New accounts are assigned the User role by default.
Security
Section titled “Security”ReArch protects your account with several built-in security measures:
- Login attempt limits — After too many failed sign-in attempts, further attempts are temporarily blocked. This protects against unauthorized access.
- Passwords are stored securely — If you use email and password sign-in, your password is never stored in plain text and is never visible to administrators.
- Sessions expire automatically — You will be asked to sign in again after a period of inactivity.
- Secure connections — All communication between your browser and ReArch is protected with industry-standard security headers.
For details on environment variables related to authentication (including rate limiting and token settings), see Configuration.