getting-started

Sign in to your workspace

ESSENTIALEstimated read: 4 min· Updated 2026-06-02

Sign in to your workspace

EssentialAny user

Every signed-in surface in AxisSynapse begins at the workspace sign-in page. Depending on how your workspace is configured, you'll see one of three doors: email + password, single sign-on via your organization's identity provider, or a passkey prompt that signs you in with one tap. Most workspaces enable more than one — pick whichever is easiest.

TL;DR — Go to your workspace URL (<your-workspace>.axissynapse.com), enter your email, and AxisSynapse routes you to the right sign-in method automatically. If your account is enrolled in MFA or has a Passkey, the flow asks for it after the first proof.

Before you start

  • Know your workspace URL. It looks like <your-workspace>.axissynapse.com or a custom domain your admin configured (see Branding your workspace). If you don't know the URL, ask your admin or check your invitation email — every invite carries the exact URL.
  • For SSO: be signed in to your identity provider in this browser, or ready to sign in when prompted.
  • For passkey: have your enrolled device (phone, password manager, hardware key) handy.
  • For recovery codes: keep the codes in a secure password manager — you'll need them only if you lose every other factor.

Phishing-resistance posture

AxisSynapse sign-in pages are only ever served from your workspace domain over HTTPS. We never email an embedded sign-in form. If you see a sign-in form delivered via email, message, or popup that says it's AxisSynapse, treat it as suspicious and report it.

Sign in with email + password

The path most workspaces enable for the first user.

  1. Open your workspace URL

    Browse to your workspace address. The sign-in card appears with an email field and a Continue button.

  2. Enter your email and click "Continue"

    AxisSynapse looks up which identity providers serve your email domain (see Configure single sign-on for how that's wired up) and routes you to the right next step.

  3. Enter your password

    Type your password. Show password reveals it temporarily; Forgot password? sends a reset link to your email.

  4. Complete MFA if required

    If your workspace requires MFA and you're enrolled, you'll see the challenge for whichever factor you set up first — authenticator app code, passkey, hardware key, or a recovery code. See the "Multi-factor authentication" section below for the full pattern.

  5. Pick a workspace

    If you belong to more than one AxisSynapse workspace (e.g. a contractor working across customers), the post-sign-in switcher lists them in last-used order. Pick one to land on its home.

Sign in with single sign-on

If your workspace has at least one identity provider configured, the sign-in form auto-detects your email domain and routes you to the right provider.

  1. Enter your work email

    Type your full work address. AxisSynapse matches the domain against the workspace's identity providers; when there's a match the form swaps to a Continue with <Identity provider> button.

  2. Click "Continue with `<provider>`"

    You're redirected to your identity provider's sign-in page — Microsoft Entra ID, Okta, Google Workspace, Auth0, OneLogin, or any other SAML 2.0 IdP your admin configured.

  3. Complete the IdP flow

    Sign in to your identity provider as you normally do. If you're already signed in there, the IdP redirects you back immediately; most providers don't ask twice within their session.

  4. Land in your workspace

    AxisSynapse provisions your account on first sign-in (JIT provisioning) using the email, first name, and last name your IdP returned. Subsequent sign-ins skip provisioning.

Sign in with a passkey

If your account has a passkey and your workspace allows it, the fastest path skips the password entirely.

  1. Open the sign-in page

    Browse to your workspace URL. Modern browsers surface enrolled passkeys in their autofill chrome — your name and authenticator appear above the keyboard or next to the email field.

  2. Pick your passkey

    Tap or click the suggestion. The browser asks for a local verification (Face ID, Touch ID, Windows Hello, the device PIN, or a tap on a hardware key), then signs you in.

  3. No password, no MFA prompt

    Passkeys are WebAuthn-backed, which already satisfies the second-factor requirement. The sign-in completes in one tap; no additional challenge appears unless your account is about to do a high-impact action (see Step-up authentication).

Every field, explained

FieldWhat it doesAccepted values / default
EmailIdentifies you to AxisSynapse and routes the sign-in to the right factor (password / SSO / passkey).Your full work email. Case-insensitive on the local part; canonical lowercase on the domain.
PasswordYour password (only shown if your workspace allows password sign-in for your account).Minimum length and complexity are set by your workspace's password policy. The Show password toggle reveals it temporarily.
Remember meKeeps your sign-in cookie alive longer on a shared session, up to the cap set by your workspace's session policy.Off by default. Don't enable on shared / public devices.
Continue with <provider>Appears when AxisSynapse detects your email domain is served by a configured SAML identity provider.Redirects you to the IdP. Replaces the password step entirely.
Use a passkeyAppears when at least one passkey is enrolled for your account and your workspace's attestation policy permits the authenticator family.One tap; no password; satisfies MFA. See Account / Security to manage your enrolled passkeys.
Trouble signing in?Reveals the recovery options: forgot password, lost MFA device, use a recovery code, contact your admin.Each option routes to the right recovery flow without exposing the existence of accounts that aren't registered.

Multi-factor authentication

When your workspace requires MFA and your account is enrolled, the challenge appears after the first proof (password or SSO assertion). AxisSynapse remembers which factor you used last and shows it first — the others appear behind a Try another way link.

FieldWhat it doesAccepted values / default
Authenticator app code (TOTP)A 6-digit code that rotates every 30 seconds. Generated by your authenticator app.Any TOTP-compliant app works: 1Password, Authy, Google Authenticator, Microsoft Authenticator, Bitwarden, etc.
Hardware keyA FIDO2 / WebAuthn hardware key (YubiKey, Titan, etc.).Insert the key, tap when prompted, sign-in completes. Phishing-resistant.
PasskeyA passkey enrolled on this device or synced from your password manager.Phishing-resistant; satisfies the strongest MFA policy.
Recovery codeOne of the single-use codes generated when you enrolled your first factor.Use only as a last resort. Each code is one-time; regenerate the batch from Account / Security afterward.

What appears in the audit log

Every sign-in attempt — successful or failed — is recorded.

ACCOUNT_SAML_SIGNIN_SUCCESSACCOUNT_SAML_SIGNIN_FAILEDACCOUNT_WEBAUTHN_SIGNIN_SUCCESSACCOUNT_WEBAUTHN_SIGNIN_FAILEDACCOUNT_MFA_DEVICE_VERIFIEDACCOUNT_MFA_RECOVERY_CODE_USED
  • ACCOUNT_SAML_SIGNIN_SUCCESS / ..._FAILED — SAML sign-in outcomes.
  • ACCOUNT_WEBAUTHN_SIGNIN_SUCCESS / ..._FAILED — passkey or hardware-key sign-in outcomes.
  • ACCOUNT_MFA_DEVICE_VERIFIED — successful TOTP / hardware-key challenge.
  • ACCOUNT_MFA_RECOVERY_CODE_USED — a one-time recovery code was redeemed. Always review this entry — recovery codes are meant for emergencies, not steady use.

Admins see the same lines in Security Console; developers can subscribe via event webhooks.

Common gotchas

  • "I don't know my workspace URL." Search your email for any past invitation or notification from AxisSynapse — the URL is in the footer of every message. If you still can't find it, ask your admin; we never expose the workspace URL by searching for an email to keep tenant discovery shut off.
  • "I'm being redirected to my old company's SSO." If you moved workspaces, your domain may still be routed by the previous workspace's SSO. Sign out of the old workspace in another tab, then retry — AxisSynapse re-routes based on the active session.
  • "I see a 'Forbidden' page after signing in." Your workspace has a network policy that rejects your current IP. Either connect via the corporate VPN your admin whitelisted, or ask your admin to allow the IP you're on.
  • "My passkey isn't offered." Your workspace's attestation policy may not allow your authenticator family (e.g. synced passkeys are denied). Enroll a hardware key or use SSO. See Passkeys & WebAuthn.
  • "I'm rate-limited." Repeated failed attempts pause sign-in briefly. Wait for the cooldown, double-check the email + password, and use the recovery flow if needed. Never keep retrying — the pause grows with each failure.

Troubleshooting

| Error code | What it means | Fix | |---|---|---| | AUTH_INVALID_CREDENTIALS | The email + password don't match. | Reset your password via Forgot password?. | | AUTH_ACCOUNT_LOCKED | Too many failed attempts in a short window. | Wait for the cooldown. If it persists, contact your admin. | | AUTH_MFA_REQUIRED | The workspace requires MFA, and you have nothing enrolled. | Sign in to a different workspace surface that walks you through enrollment, or contact your admin to grant a grace period. | | NETWORK_POLICY_BLOCKED | Your IP is outside the workspace's allowlist. | Connect via the corporate VPN or ask your admin to allow the IP. |

See the full catalogue at Reference / Error codes.

Related

Configure single sign-on

Set up SAML SSO so your team signs in with the company identity.

Multi-factor authentication policy

Require MFA, set grace periods, pick acceptable factors.

Passkeys & WebAuthn

Phishing-resistant credentials end-to-end.

Account security

Manage your password, devices, sessions, and recovery codes.