Productlane
Productlane
  • Docs
  • Changelog
  • Feature requests
  • Support portal
    • Widget
    • Theme
    • Custom domain
    • SSO
    • Signatures
    • Custom data
    • Widget Content Security Policy (CSP)
Docs / Setup

SSO

Authenticate portal users yourself with JWTs.
SSO

This feature is available on the Scale plan. View all plans

You can easily authenticate users on your portal with your existing system by implementing a simple endpoint that generates a JWT and redirects back to Productlane.

Setup

  1. Activate SSO

    Head to the SSO settings and activate SSO by specifying the URL of the endpoint you plan on using. A signing secret is generated and shown once in a read-only field. Click Copy and close to save it securely. It will not be shown again.

  2. Implement token endpoint

    import jwt from "jsonwebtoken"
    
    import { NextApiRequest, NextApiResponse } from "next"
    
    export default function handler(
      req: NextApiRequest,
      res: NextApiResponse,
    ) {
      // replace with your "getSession"
      const session = { email: "[email protected]", name: "Raphael" }
      const token = jwt.sign(
        {
          email: session.email,
          name: session.name,
          imageUrl: "",     // optional
          orgId: "",        // optional, PL Org ID
          linearOrgId: "",  // optional, Linear Customer Id
          tokenValidity: 15 // optional, in minutes
        },
        "pl_sso_...",
      )
    
      const redirect = req.query.redirect ? "&redirect=" + req.query.redirect : ""
      // custom domain example
      res.redirect("https://support.example.com/api/portal/sso?token=" + token + redirect)
      // subdomain example
      // res.redirect("https://example.productlane.com/api/portal/sso?token=" + token + redirect)
    }
  3. Enable SSO

    If your endpoint is ready, enable the Enable SSO toggle in the SSO settings. This starts routing traffic to your endpoint, so make sure it is ready before enabling.


Privacy controls

Once SSO is active you can control which parts of the portal require authentication.

Make entire portal private

Turn on Make entire portal private to require SSO for every section. When this is enabled, the portal is automatically excluded from search engine indexing (robots.txt, sitemap, and noindex meta tags are all set).

Per-section privacy

If you want only specific sections to require login, leave Make entire portal private off and use the individual section toggles:

Toggle

Section protected

Make Docs private

Docs / Help Center

Make Feature requests private

Roadmap / Feature requests

Make Changelog private

Changelog

Make Support Portal private

Support portal

Private sections are excluded from search engine indexing individually (robots.txt disallow rules, sitemap omission, and noindex meta tags).


Rotating the signing secret

If your secret is compromised or you need to cycle credentials, use the Rotate secret button in the Credentials section of the SSO settings.

  • The current secret stops working immediately when you rotate.

  • Update your SSO endpoint with the new secret before rotating to avoid any login interruption.


Org overwrite

By default, Productlane automatically assigns users to an organisation based on their email domain. When authenticating via SSO, you can override this and manually assign a user to a specific organisation using these optional JWT fields:

  • orgId - the Productlane Organisation ID

  • linearOrgId - the Linear Customer ID

This is useful when a user's email domain does not match their organisation, or when you need explicit control over organisation assignment.


Redirect

Productlane automatically passes a redirect parameter to your endpoint when a user tries to access a specific page before logging in. Forward it in your redirect to send users back to where they came from.

// Forward the redirect param so users land on the page they originally visited
const redirect = req.query.redirect
res.redirect(
  `https://example.productlane.com/api/portal/sso?token=${token}${redirect ? `&redirect=${redirect}` : ''}`
)
PrevCustom domain
NextSignatures
Was this helpful?