How it works (30 seconds)
Mission Control is the identity provider — the one place people sign in. Each app delegates its login to it: when someone opens an app, they're sent to Mission Control to sign in, then returned with a signed token the app trusts. Apps never see passwords.
1 Open the Single sign-on panel
In Mission Control, go to:
You'll see two cards — Staff (who can sign in) and Applications (the apps that trust the login) — plus a Try the demo button.
2 Add yourself as the first staff member
Before anything can sign in, there has to be someone to sign in. Add yourself first.
3 Register your first application
Now connect an app so it uses this login. Registering gives the app a key and the list of redirect URLs it's allowed to return users to.
4 See it work — Try the demo
Click Try the demo at the top of the panel. It runs the full handshake — sign in at Mission Control, get bounced back to a sample app already signed in — so you can watch SSO in action before you wire a real app.
Good to know
- Apps never see passwords. They only ever receive a short-lived, cryptographically signed token — so a compromised app can't leak your team's credentials.
- Turning SSO on is safe. Each app keeps its own local login as a fallback, so nothing locks you out while you roll it out.
- Access is instant to revoke. Disable a staff member and they can no longer sign in to anything (see the Add staff guide).