Authentication

Overview

Primentra uses token-based authentication to protect access to the application. Every user must sign in with their email and password before they can view or edit data.

• First-run setup — When no users exist yet, a setup screen guides you through creating the first administrator account
• Login screen — After the first user is created, all subsequent access requires signing in
• Session tokens — After login, a session token is stored in your browser and sent with every request. Sessions expire after a configurable period of inactivity (default: 24 hours)
• Idle timeout warning — A countdown modal appears 5 minutes before your session expires, with a "Stay Logged In" button to extend it

Signing In

The login screen appears when you are not authenticated. Enter your email address and password, then click Sign in.

• Passwords are case-sensitive
• The show/hide toggle (eye icon) lets you verify your password before submitting
• After a successful login, you are redirected to the dashboard
• Your session token is stored in the browser and persists across page reloads

One-click sign-in link (new users)

When an administrator creates a new account with Must change password enabled and sends a welcome email, the email contains a one-click sign-in link instead of a plain-text password. Clicking the link automatically signs you in and immediately shows the Set new password screen. You must choose a personal password before you can access the application — you cannot skip this step.

The link is valid for 72 hours and can only be used once. If it has expired or already been used, the login screen shows:

Ask your administrator to resend the welcome email via the mail icon on your user card in the Users panel.

Forced password change

If an administrator marks your account with Must change password, you will see the password change screen immediately after signing in (with your existing password). The rest of the application is not accessible until you have set a new password.

If you see an error message, check that your email and password are correct. After too many failed attempts, your account may be locked (see Account Lockout below).

Signing Out

To sign out, click the gear icon in the top-right corner to open the settings menu. Your name and email are shown at the top. Click Sign out at the bottom of the menu.

Signing out:

• Invalidates your session token on the server
• Removes the token from your browser
• Redirects you to the login screen

Session Management

Primentra uses server-side session tokens for authentication. Here is how sessions work:

• Token format — A random 64-character hex string, generated server-side
• Storage — The token is stored in localStorage in your browser
• Transport — Sent as an Authorization: Bearer <token> header on every API request
• Expiry — Sessions expire after a configurable period of inactivity (default: 24 hours)
• Sliding window — Any activity (mouse, keyboard, scrolling) resets the inactivity timer
• Warning — A countdown modal appears 5 minutes before your session expires, with a "Stay Logged In" button
• Server restart — All sessions are invalidated when the API server restarts (users must sign in again)

Configuring the session timeout:

Administrators can change the session timeout duration in Settings → General → Session Timeout. Available presets are 1, 4, 8, 12, 24, or 48 hours, or any custom value.

Security notes:

• Passwords are hashed using scrypt with a random salt — plain-text passwords are never stored
• Tokens are cryptographically random and cannot be guessed
• Each user can have one active session at a time