Otto

Authentication

Otto uses industry-standard authentication to keep your account secure. The VS Code extension authenticates via OAuth 2.0 with PKCE, and API access uses JWT tokens.

VS Code Extension (OAuth + PKCE)

When you run Otto: Sign In from the command palette, the extension initiates an OAuth 2.0 Authorization Code flow with PKCE (Proof Key for Code Exchange). This is the most secure flow for desktop applications:

  1. The extension generates a cryptographic code verifier and challenge
  2. A browser window opens to the Otto sign-in page
  3. After you authenticate, the browser redirects back to the extension
  4. The extension exchanges the authorization code for access and refresh tokens

Tokens are stored securely in the VS Code secret storage. The access token is used for all MCP server communication.

Token Lifecycle

  • Access tokens expire after 1 hour and are refreshed automatically
  • Refresh tokens expire after 30 days of inactivity
  • If the refresh token expires, you will need to sign in again

Web Dashboard

The Otto web dashboard uses standard session-based authentication. Sign in with your email and password, or use a supported OAuth provider (GitHub, Google). Sessions use secure, HTTP-only cookies.

API Authentication

API requests require a valid JWT in the Authorization: Bearer header. JWTs are signed using RS256 and include claims for user identity and licensed products.

Security Measures

  • All authentication endpoints are rate-limited (5 requests per 15 minutes per IP)
  • CSRF protection on all state-changing endpoints
  • Passwords are hashed with bcrypt (minimum 12 rounds)
  • Failed sign-in attempts trigger progressive lockout