--- type: how-to --- # Sign up and sign in Create a caputchin account and start managing site keys. The conceptual reference for what's happening behind the scenes is [account-login](../account-login.md). ## Sign up (first time) There is no separate "sign up" step. Signing in for the first time with a given email creates the account. 1. Go to `https://app.caputchin.com/login` (or `/login` on whichever host you're running). 2. Pick one of: - **Email a sign-in link** — enter your email, click the button, wait for the email. Click the link inside it within 15 minutes. - **Continue with GitHub** — consent to the GitHub OAuth prompt. We read your primary verified email and nothing else. - **Continue with Google** — consent to the Google OAuth prompt. We read your verified email and nothing else. 3. You land in the dashboard at `/app`. Your account exists. ## Sign in (returning) Same three paths. We match you by email — whichever path you used first time, any of the three works for subsequent sign-ins as long as the email matches. ## Mint a site key 1. From the dashboard, navigate to **Sites**. 2. Click **New site**. 3. Enter a friendly name and (optionally) a domain allowlist. 4. The platform returns a `cpt_pub_*` public key and a `cpt_sec_*` secret. **The secret is shown once.** Copy it now; you can rotate it later but you can't recover the original. Use the public key in the [widget](../widget.md) `sitekey` attribute and the secret in your backend's `/siteverify` call — see [guides/integrate-widget](integrate-widget.md) and [guides/verify-server-side](verify-server-side.md). ## Sign out Click **Sign out** in the dashboard sidebar. The browser's session cookie is cleared and the corresponding session row in our database is deleted — the cookie is dead immediately on the next request, not at some TTL boundary. ## Mint a Personal Access Token (for OpenAPI / MCP / Terraform) Once signed in: 1. Navigate to **Tokens**. 2. Click **New token**, name it (e.g. `ci-deploy`, `terraform-prod`), and click create. 3. The platform returns a `cpt_pat_*` value. **Shown once.** Copy it into your CI secrets / `.envrc` / Terraform `caputchin_provider` config. Authenticate non-UI traffic with `Authorization: Bearer cpt_pat_*`. See [management-api](../management-api.md) for the surface that accepts it. ## Troubleshooting | Symptom | Likely cause | Fix | |---|---|---| | "Email me a sign-in link" succeeds but no email arrives | Spam folder, or the email address is mistyped | Check spam; wait 60 seconds (rate-limit) then retry with the corrected address | | "That sign-in link has expired" | Clicked > 15 minutes after we sent it | Request a fresh link | | "That sign-in link has already been used" | You clicked it on phone, then again on laptop | Request a fresh link — single-use is intentional | | "Your provider account doesn't have a verified email" | GitHub/Google primary email isn't verified on the provider side | Verify it with the provider, OR use a magic-link to the same address | | "This provider account is already linked to a different caputchin account" | The same GitHub/Google account was previously used to sign in under a different email | Sign in with the original email; we don't silently re-bind providers | | Locked out — lost access to my email | Out-of-band recovery only at MVP | Contact support | ## What's intentionally absent - No password to set or remember. - No "remember this device" / persistent cookie option distinct from the default 30-day rolling session. - No multi-user account model. One account = one email = one user at MVP. - No SSO / SAML / SCIM at MVP. Deferred to Enterprise — see [roadmap](../roadmap.md).