There are multiple ways to authenticate to our services, always securely and using least privileges.
The main flows for authentication to our services are outlined below.
Single-use magic email links
What are they?
Secure links that are emailed to you in order for you to access your account.
Where are they used?
- When you sign up: https://cobrowse.io/register.
- When you are required to log in: https://cobrowse.io/login.
An example of the email you receive is shown below.
How are they secure?
- single use only
- sent to account email address
- expire after 10 minutes
- tightly scoped (using JWTs, see below)
Generate join links
What are they?
Links that can be generated by an account Administrator to add Team Members to your account.
Where are they used?
- https://cobrowse.io/dashboard/settings/team, by clicking the button shown.
How are they secure?
- Generated by Administrators only
- Expiry within 72 hours
- Triggers the single-use magic email link flow (e.g. users must sign up, and Administrators can easily audit who has account access)
- Scoped using JWTs, see below
JSON Web Tokens (JWTs)
What are they?
Secure tokens which carry authentication credentials and are signed and verified by a trusted party: https://docs.cobrowse.io/agent-side-integrations/json-web-tokens-jwts#overview.
Where are they used?
In the majority of our authentication! This is because they are helpful for Single Sign-On (SSO) flows, meaning your trusted credentials for one sign-on are reused for others. Some examples include:
- Our integrations (e.g. Genesys, Zendesk, Freshdesk, Intercom, Salesforce), including the widget view shown below. Your authentication for the integration will be re-used.
- Magic links and join links
- Custom integrations, including using the Agent SDK: https://docs.cobrowse.io/agent-side-integrations/json-web-tokens-jwts#overview
How are they secure?
- They are cryptographically signed and verified for authenticity before granting access.
- They are fine-tuned to give only the necessary access control, including expiry.
More information on the technical implementation of JWTs can be found here: https://docs.cobrowse.io/agent-side-integrations/json-web-tokens-jwts.
SAML 2.0 Single Sign‑On (SSO)
What is it?
SAML 2.0 enables secure, enterprise‑grade single sign‑on (SSO). It allows agents to authenticate via your identity provider (IdP), leveraging the user's email address as a unique identifier—minimising login friction while maintaining robust security. This setup seamlessly integrates SSO into the Cobrowse experience.
Where is it used?
You can configure SAML by following the instructions in https://docs.cobrowse.io/agent-side-integrations/authentication-saml-2.0. It will then be available from your Enterprise application catalog as well as the dedicated login URL.
How is it secure?
SAML enables security and compliance by centralising authentication through a trusted Identity Provider (IdP), so passwords are never shared with Cobrowse. It uses digitally signed assertions to verify identity, reducing the risk of credential theft, tampering, or phishing. This allows organisations to enforce strong access controls, like MFA, in one place.