bichito
Account

Sign in

Email + password vs Google / GitHub OAuth. What happens with mixed-mode accounts.

bichito offers three ways to authenticate:

  • Email + password — classic flow, with a 6-digit verification code on first signup.
  • Google OAuth — one click, no password.
  • GitHub OAuth — one click, no password.

You can mix them on the same account: signing up with email + password, then later signing in with Google using the same address, links the two and lets you use either going forward.

Sign up with email + password

  1. Pick a password (8 chars min).
  2. Check your inbox for a 6-digit code (valid 24h).
  3. Enter the code on the verify screen.
  4. Land in the onboarding wizard.

If you didn't get the code, click Resend — we throttle to one resend per minute per email so a typo doesn't loop.

Sign up with Google or GitHub

  1. Click the provider button on /signup or /login.
  2. Approve on the provider's consent screen.
  3. Land directly in the onboarding wizard. No email verification needed — we trust the OAuth provider's verified email.

Mixed-mode accounts

If you signed up with email + password and later OAuth into the same address:

  • The two get linked.
  • You can use either method going forward.
  • Your password still works.

If you signed up with OAuth and never set a password, attempting POST /auth/login with a password fails with a clear "this account uses OAuth — sign in with Google/GitHub instead" message.

To set a password on an OAuth-only account, use the forgot password flow as if you'd lost the password — the reset link works fine for accounts that have never had one. Future sign-ins can then use either method.

Session lifetime

Login issues a JWT (signed with HS256) valid for 30 days. Each authenticated request refreshes the implicit session activity but does not extend the JWT expiry — when it expires, you log in again. There's no separate refresh token; the design favours simple over fancy.

Sign out clears the JWT from local storage. There's no server-side session list / "log out all devices" today — if you suspect a token leak, change your password (which doesn't invalidate JWTs but stops new ones being issued without the new password) and contact us if you need a forced revoke.

SSO / SAML

Not yet. If you need it, get in touch — it's on the post-MVP roadmap and we'll prioritise based on demand.

Notification emails

Extra recipients per honeycomb beyond the hive owner.

Email verification

6-digit code sent at signup. 24-hour expiry, one-shot use, on-demand resend.

On this page

Sign up with email + passwordSign up with Google or GitHubMixed-mode accountsSession lifetimeSSO / SAML