Sign In & Sign Up

The root route (/) is a loading screen that checks the session cookie and redirects you. Signed-in users go to /applications; unauthenticated visitors are sent to /login. While the check runs, a centred VentryShield logo and an "Initialising" status are shown.

/login presents the standard credential form: username and password, protected by Google reCAPTCHA v3 in the background. If two-factor authentication is enabled on your account, a second dialog asks for a TOTP code or one of your saved recovery codes before the session is issued.

• CAPTCHAreCAPTCHA v3 runs silently; suspicious scores are rejected by the backend with a 4xx response.
• 2FAThe 2FA dialog accepts a 6-digit TOTP code or a one-time recovery code generated when 2FA was enabled.
• LINKSDirect links lead to /register for new accounts and /forgot-password to start a password reset.
• INFOThe page advertises end-to-end encryption, 2FA availability and brute-force protection as trust signals.

/register creates a new account. The form validates input live before it is sent:

• USRUsername: 3 to 32 characters, alphanumerics and underscores only.
• PWDPassword: minimum 8 characters with a mix of upper-/lower-case letters or digits.
• EMAILA valid email — used for verification and recovery.
• TOSTerms of Service and Privacy Policy must be accepted via a required checkbox.
• VERIFYOn submit a verification email is sent. The /success route displays a confirmation message and redirects to /login after a short delay.

Once authenticated, the session is held as an HTTP-only cookie. The AuthProvider in lib/auth-context.tsx revalidates the session on every page focus and at most once every 60 seconds via /api/auth/check-session. A 401 from any API call automatically signs you out and bounces you to /login.