Authentication and access control

Authentication

Interval Actions and Pages for an organization can only be accessed through the Interval dashboard for that organization.

Interval currently supports the following authentication schemes:

• Email/password
• Sign in with Google
• SSO

As a developer, you don't need to do any additional work to enable authentication for your actions. Just provide an Interval API key for your organization when instantiating the Interval class.

Multi-factor authentication

Interval supports multi-factor authentication (MFA), also known as two-factor authentication, for added account security. MFA can be enabled for individual user accounts and can optionally be enforced for everyone in your organization.

Before using MFA, you will need an app that supports generating one-time passwords (OTP).

For iOS/macOS users we recommend StepTwo. If you are already a 1Password user, you can use 1Password to generate these.

To enable MFA:

1. Visit your account settings page in the Interval dashboard.
2. Scroll to the section labeled "Multi-factor authentication."
3. Click "Enable MFA" and follow the remaining prompts.

As the owner of an organization, you can enforce that all users in your organization have MFA enabled. To enforce MFA:

1. Visit the settings page for your organization.
2. Click the "Security" tab
3. Check the box labeled "Require Multi-factor authentication."

caution

Be aware that requiring MFA for your organization will immediately interrupt all logged in users and prompt for them to enabled it.

Roles

Members of your organization can be assigned one of three roles. Roles determine which functionality users have access to.

• Admins can do everything, including managing users, teams, Live mode API keys, and environments.
• Developers can run actions and view pages in Live mode and develop in Dev mode with their Personal Development Key. Developers cannot create Live mode API keys.
• Members can run actions and view pages in Live mode.

Roles are assigned on the Users page of the dashboard.

Permissions

By default, actions can be accessed by anyone in your organization.

You can create Teams within your organization. Teams are groups of users. You might have teams for customer support, engineering, ops, and so on. Teams can be created on the Teams page in the Interval dashboard.

Once you've created teams in your organization, you can configure individual actions or pages to be accessible only to members of specific teams.

info

Access control is not currently applied when using a personal development key, only to live environments at this time.

Defining permissions in code

Permissions configuration is done entirely with code. Use the access property when defining a new action to control which teams can access that action or page.

To assign access to specific teams, use the slug for each team, found on the Settings > Teams page.

When applied to Pages, access control is applied top-down. If access is not specified for a given page or action, Interval will go up the hierarchy tree to its parent page recursively until it finds a specified access, or until reaching the top of the hierarchy tree. If no access is specified, it defaults to "entire-organization".

Here's an example of restricting action access to a single team:

TypeScript

routes/support/index.ts

import { Page } from "@interval/sdk";

// only the Support team can view this page
export default new Page({
  name: "Support",
  access: {
    // use the slug for each team, found on the Settings > Teams page
    teams: ["support"],
  },
  handler: async () => {
    // your page code
  },
});

routes/support/sensitive_action.ts

import { Action } from "@interval/sdk";

// only the Support team can run this action, because its access is controlled
// by the parent Page
export default new Action({
  handler: async () => {
    // your action code
  },
});

routes/support/organization_action.ts

import { Action } from "@interval/sdk";

// everyone in the organization can run this action, despite the parent access
// restriction
export default new Action({
  access: "entire-organization",
  handler: async () => {
    // your action code
  },
});

JavaScript

routes/support/index.js

const { Page } = require("@interval/sdk");

// only the Support team can view this page
module.exports = new Page({
  name: "Support",
  access: {
    // use the slug for each team, found on the Settings > Teams page
    teams: ["support"],
  },
  handler: async () => {
    // your page code
  },
});

routes/support/sensitive_action.ts

const { Action } = require("@interval/sdk");

// only the Support team can run this action, because its access is controlled
// by the parent Page
module.exports = new Action({
  handler: async () => {
    // your action code
  },
});

routes/support/organization_action.ts

const { Action } = require("@interval/sdk");

// everyone in the organization can run this action, despite the parent access
// restriction
module.exports = new Action({
  access: "entire-organization",
  handler: async () => {
    // your action code
  },
});

Was this section useful?