Dashboard authentication described here applies to Novu Cloud. Self-hosted deployments use email and password only. See Self-Hosted and Novu Cloud for a full comparison.
Sign-in methods
Novu Cloud supports the following ways to create an account and sign in:Email and password
Create an account with your email address and a password. Novu sends a verification email before your account is fully activated. Use this method if you prefer a traditional credential-based sign-in or if your organization does not use SSO.Google and GitHub
Sign up or sign in with your existing Google or GitHub account. Social sign-in links your Novu account to the provider you choose, so you do not need a separate password.Enterprise SSO (OIDC and SAML)
Enterprise customers can connect a corporate identity provider using OpenID Connect (OIDC) or SAML 2.0. This lets your team sign in with credentials managed by your organization—common providers include Okta, Microsoft Entra ID, and Google Workspace. For setup details, see SAML SSO & SCIM.Multi-factor authentication (MFA)
Add a second verification step to protect your account. Novu supports:- Authenticator app (TOTP) — Use an app such as Google Authenticator or 1Password to generate time-based codes.
- SMS verification code — Receive a one-time code by text message where enabled.
Session management
Novu manages authenticated sessions with industry-standard security practices:- Active sessions — View devices and browsers where you are currently signed in.
- Session revocation — Sign out of a specific device or end all active sessions from your account settings.
- Automatic expiration — Sessions expire after a period of inactivity to reduce the risk of unauthorized access.
Authorization after sign-in
Authentication confirms who you are. Authorization controls what you can do inside each organization:- Each organization has its own roles and permissions (Owner, Admin, Author, Viewer).
- Team members are invited and managed per organization.
- Enterprise customers can use SAML SSO and SCIM for centralized provisioning and offboarding.
Best practices
Prefer SSO for teams
Prefer SSO for teams
If your company uses a corporate identity provider, enable OIDC or SAML SSO so access is governed by your existing IT policies, including password rotation and account deactivation.
Enable MFA for privileged roles
Enable MFA for privileged roles
Require MFA for users with Owner or Admin roles. Owners control billing, API keys, and team membership. Admins can manage workflows, integrations, and API keys.
Use verified domains for onboarding
Use verified domains for onboarding
Add a verified domain so colleagues with your company email can join your organization through a controlled process instead of ad-hoc sign-ups.
Remove access promptly
Remove access promptly
When someone leaves your team, remove them from the organization or rely on SCIM deprovisioning so their dashboard access is revoked immediately.
Choose the right data region at sign-up
Choose the right data region at sign-up
Select your preferred data region when creating your account. Region selection affects where your notification data is stored.
Related topics
Organizations
How organizations work, creating orgs, and switching between them.
Roles and permissions
Role-based access control for dashboard actions.
Team members
Invite, manage, and remove organization members.
Security and compliance
SOC 2, ISO 27001, GDPR, HIPAA, and data residency.