Help Center← Back to Dashboard
Getting Started
What is Aithroyz?Quickstart: First EnvironmentCloud CredentialsPlans & Approvals
Environments
OverviewLifecycle PhasesTTL Auto-DestroyExtending TTLDestroying an Environment
Tools Reference
OverviewElastic Stack (SIEM)Wazuh (XDR)MITRE CalderaTheHive & DFIR-IRISVelociraptorOpenCTIGrafana + PrometheusShuffle SOARn8nUptime KumaLLM GatewayOpen WebUIFlowiseOpenClawOllamaQdrantLangfusePortainerGiteaSonarQubeCode ServerMattermostMinIOMetabaseHashiCorp VaultKeycloak SSONetBoxLocalStack
Access & Security
Google SSOTenant IsolationPasskeys & MFATeam Members
API & Integrations
API KeysMCP Tools (Clevername)Terraform ExportWebhooks & Callbacks
Stack Presets
SOC PlatformIR / DFIR LabThreat HuntingQuick Sandbox
Settings
Cloud KeysAPI KeysBillingAudit Log
Troubleshooting
Common IssuesDeployment FailuresDNS & ConnectivityTool Health Checks
Aithroyz Help
Help CenterAccess & SecurityGoogle SSO

Google SSO

All Aithroyz tool subdomains are protected by centralized Google OAuth. One sign-in covers all tools in all your environments.

Aithroyz uses a centralized auth-proxy (auth.ops.aithroyz.com) running oauth2-proxy with Google OAuth. Every tool gateway forwards authentication requests to this proxy. You sign in once and a cookie covers all tools.

How access control works

When you access a tool URL (e.g. elastic.acme-soc.ops.aithroyz.com):

1. Caddy gateway checks for a valid auth cookie from auth.ops.aithroyz.com
2. If no cookie, redirects to https://auth.ops.aithroyz.com/oauth2/start
3. Google OAuth prompts for login
4. On success, sets a cookie for *.ops.aithroyz.com (covers all subdomains)
5. Caddy checks the X-Auth-Request-Email header against the allowed email domain list
6. If the email domain matches, access is granted

Allowed email domains

By default, any @gmail.com or Google Workspace account can authenticate. You can restrict access to specific email domains by setting the allowed_email_domains variable in your plan configuration.

For example, setting allowed_email_domains = ["company.com"] only allows Google accounts with @company.com emails.

⚠
The Google OAuth redirect URI registered is https://auth.ops.aithroyz.com/oauth2/callback. This is a shared callback — all tenants use the same Google OAuth client. Custom OAuth clients per-tenant are not yet supported.
Related Articles
Tenant IsolationRead article →DNS & ConnectivityRead article →