Skip to main content
Ultra Hub supports multiple authentication methods: web-based login, CLI authentication, and deploy keys for headless environments. For enterprise identity provider integration, see Single Sign-On (SSO) and SCIM Directory Sync.

Authentication Priority

Ultra checks for authentication in this order:
  1. Web authentication — Email + verification code (passwordless)
  2. CLI authenticationultra login (OAuth2 PKCE flow)
  3. Deploy keysULTRA_DEPLOY_KEY environment variable or config file

Web Authentication

Ultra Hub uses passwordless authentication for the web interface. No passwords to remember or rotate.

How It Works

  1. Navigate to your Hub instance and click Sign In
  2. Enter your email address
  3. Check your inbox for a verification code
  4. Enter the code to complete sign-in
Sessions are maintained via secure cookies. You’ll be prompted to re-authenticate when your session expires.

CLI Authentication

Authenticate from the command line using OAuth2: 
ultra login
This opens your browser to complete authentication. After logging in, your credentials are stored locally in your Ultra config file and used for subsequent commands. 
# Login to the default Hub
ultra login

# Login to a self-hosted Hub
ultra login --hub https://hub.mycompany.com

How It Works

  1. Ultra starts a local callback server on port 19284
  2. Your browser opens to the Hub authentication page
  3. You sign in (or create an account)
  4. Hub redirects back to the local server with an auth token
  5. The token is saved to your config file

Session Management

  • Tokens are stored in ~/.config/ultra/config.yaml
  • If your session expires, Ultra warns you and disables Hub sync
  • Re-run ultra login to refresh your session

Check Login Status

# Shows your current auth state
ultra link  # Will tell you if you're not logged in

Deploy Keys

For CI/CD pipelines, MDM fleet deployments, and other headless environments where browser-based login isn’t possible, use deploy keys. Deploy keys are long-lived tokens scoped to a specific workspace that allow gateways to authenticate without a browser login. See the Deploy Keys page for setup and management.

Account Lockout

To protect against brute-force attacks, Ultra Hub enforces account lockout after repeated failed authentication attempts. If your account is locked, wait for the lockout period to expire before trying again, or contact your organization’s admin.

Logging Out

# Logout and clear credentials
ultra logout

# Logout without confirmation
ultra logout --force
Logging out clears all Hub credentials and unlinks the gateway if it’s currently linked.