ENA Feedback
Security

Authentication

Admin login via OIDC SSO, session management, and API token authentication in Enafeedback.

Last updated on

Admin dashboard authentication

The Enafeedback admin dashboard uses OpenID Connect (OIDC) single sign-on. Authentication is handled by the EnaSpace identity provider (EnaCore Identity).

Login flow

  1. Navigate to your workspace URL (e.g., app.enafeedback.com).
  2. Click Sign in.
  3. You are redirected to the EnaSpace identity provider login page.
  4. Enter your credentials (email + password, or SSO with your organisation's IdP if configured).
  5. On successful authentication, you are redirected back to the admin dashboard with a short-lived session token.

Session tokens

  • Access tokens are valid for 1 hour.
  • Refresh tokens are valid for 30 days (revoked on explicit logout).
  • Tokens are stored in server-side cookies (HttpOnly, Secure, SameSite=Strict).

Multi-factor authentication (MFA)

MFA is managed at the identity provider level. If your organisation requires MFA, it is enforced by the IdP before the token is issued. Contact your IT administrator to enable MFA.

SSO with your identity provider

Enterprise workspaces can configure SAML 2.0 or OIDC federation with their own identity provider (Active Directory, Okta, Entra ID). Contact your account manager to set this up.

Session management

Active sessions are listed in Settings → Security → Active sessions. You can revoke any session (e.g., if a device is lost) by clicking Revoke next to it.

Visitor authentication

Visitors submitting feedback via QR posters do not need an account. The QR code URL itself authenticates the request by encoding the location and session context. No login is required.

API authentication

The Enafeedback REST API uses Bearer token authentication.

Obtaining an API token

API tokens are service account tokens issued for integrations. To create one:

  1. Navigate to Global Settings → Integrations → API Tokens (requires platform:owner role).
  2. Click Create token.
  3. Give the token a name (e.g., "Zapier integration").
  4. The token is displayed once — copy it immediately and store it securely.

Using the token

Include the token in the Authorization header of every API request:

GET /api/surveys HTTP/1.1
Host: api.enafeedback.com
Authorization: Bearer efa_sk_...

Token permissions

API tokens have workspace-level read/write access. Granular per-token scopes are on the roadmap. For now, treat API tokens with the same care as platform:owner credentials.

Revoking a token

If a token is compromised:

  1. Navigate to Global Settings → Integrations → API Tokens.
  2. Find the token and click Revoke.
  3. Revocation is immediate — requests using the revoked token receive HTTP 401.

Rate limiting

API requests are rate-limited to 1,000 requests per minute per workspace. The following headers are included in every response:

X-RateLimit-Limit: 1000
X-RateLimit-Remaining: 987
X-RateLimit-Reset: 1717754400

When the limit is exceeded, the API returns HTTP 429. Retry after the X-RateLimit-Reset timestamp.

Security Overview

How Enafeedback protects your data — encryption, access control, infrastructure, and responsible disclosure.

API Overview & Authentication

Base URL, authentication, rate limiting, error codes, and conventions for the Enafeedback REST API.

On this page

Admin dashboard authenticationLogin flowSession tokensMulti-factor authentication (MFA)SSO with your identity providerSession managementVisitor authenticationAPI authenticationObtaining an API tokenUsing the tokenToken permissionsRevoking a tokenRate limiting