Authentication and access control
Authentication
Interval Actions and Pages for an organization can only be accessed through the Interval dashboard for that organization.
Interval currently supports the following authentication schemes:
- Email/password
- Sign in with Google
- SSO
You can sign up or log in with email or Google here. If you'd like SSO to be enabled for your organization, contact us.
As a developer, you don't need to do any additional work to enable authentication for your actions. Just provide an Interval API key for your organization when instantiating the Interval class.
Multi-factor authentication
Interval supports multi-factor authentication (MFA), also known as two-factor authentication, for added account security. MFA can be enabled for individual user accounts and can optionally be enforced for everyone in your organization.
Before using MFA, you will need an app that supports generating one-time passwords (OTP).
For iOS/macOS users we recommend StepTwo. If you are already a 1Password user, you can use 1Password to generate these.
To enable MFA:
- Visit your account settings page in the Interval dashboard.
- Scroll to the section labeled "Multi-factor authentication."
- Click "Enable MFA" and follow the remaining prompts.
As the owner of an organization, you can enforce that all users in your organization have MFA enabled. To enforce MFA:
- Visit the settings page for your organization.
- Click the "Security" tab
- Check the box labeled "Require Multi-factor authentication."
caution
Be aware that requiring MFA for your organization will immediately interrupt all logged in users and prompt for them to enabled it.
Roles
Members of your organization can be assigned one of three roles. Roles determine which functionality users have access to.
- Admins can do everything, including managing users, teams, Live mode API keys, and environments.
- Developers can run actions and view pages in Live mode and develop in Dev mode with their Personal Development Key. Developers cannot create Live mode API keys.
- Members can run actions and view pages in Live mode.
Roles are assigned on the Users page of the dashboard.
Permissions
By default, actions can be accessed by anyone in your organization.
For users on our Teams plan and higher, you can create Teams within your organization. Teams are groups of users. You might have teams for customer support, engineering, ops, and so on. Teams can be created on the Teams page in the Interval dashboard.
Once you've created teams in your organization, you can configure individual actions or pages to be accessible only to members of specific teams.
info
Access control is not currently applied when using a personal development key, only to live environments at this time.
Defining permissions in code
Permissions configuration is done entirely with code. Use the access property when defining a new action to control which teams can access that action or page.
To assign access to specific teams, use the slug for each team, found on the Settings > Teams page.
When applied to Pages, access control is applied
top-down. If access is not specified for a given page or action, Interval will
go up the hierarchy tree to its parent page recursively until it finds a
specified access, or until reaching the top of the hierarchy tree. If no
access is specified, it defaults to "entire-organization".
Here's an example of restricting action access to a single team:
- TypeScript
- JavaScript
- Python
import { Page } from "@interval/sdk";
// only the Support team can view this page
export default new Page({
name: "Support",
access: {
// use the slug for each team, found on the Settings > Teams page
teams: ["support"],
},
handler: async () => {
// your page code
},
});
import { Action } from "@interval/sdk";
// only the Support team can run this action, because its access is controlled
// by the parent Page
export default new Action({
handler: async () => {
// your action code
},
});
import { Action } from "@interval/sdk";
// everyone in the organization can run this action, despite the parent access
// restriction
export default new Action({
access: "entire-organization",
handler: async () => {
// your action code
},
});
const { Page } = require("@interval/sdk");
// only the Support team can view this page
module.exports = new Page({
name: "Support",
access: {
// use the slug for each team, found on the Settings > Teams page
teams: ["support"],
},
handler: async () => {
// your page code
},
});
const { Action } = require("@interval/sdk");
// only the Support team can run this action, because its access is controlled
// by the parent Page
module.exports = new Action({
handler: async () => {
// your action code
},
});
const { Action } = require("@interval/sdk");
// everyone in the organization can run this action, despite the parent access
// restriction
module.exports = new Action({
access: "entire-organization",
handler: async () => {
// your action code
},
});
import os
from interval_sdk import Interval, IO, Page
interval = Interval(
os.environ["INTERVAL_API_KEY"],
)
# only the Support team can view this page
support_page = Page(
name="Support",
# use the slug for each team, found on the Settings > Teams page
access={"teams": ["support"]},
)
@support_page.handle
async def index(display: IO.Display):
# your page code
pass
# only the Support team can run this action, because its access is controlled
# by the parent page
@support_page.action
async def sensitive_action(io: IO):
# your action code
pass
# everyone in the organization can run this action, despite the parent access
# restriction
@support_page.action(access="entire-organization")
async def org_action(io: IO):
# your action code
pass
interval.routes.add("support", support_page)
interval.listen()