Authentication
How authentication works in Reeve — sign up, sign in, team invites, and API access.
Authentication
Reeve uses a layered authentication system. Users sign in through a secure identity provider, APIs use session tokens, and team members join through invites.
Signing Up
Create a Reeve account at meetreeve.com:
- Click Get Started
- Sign up with Google, a magic link (email), or email + password
- You're taken to the Cockpit — ready to go
No credit card required for the Free tier.
Signing In
Reeve supports three sign-in methods:
| Method | How it works |
|---|---|
| Google OAuth | One click — sign in with your Google account |
| Magic link | Enter your email → click the link in your inbox → signed in |
| Email + password | Traditional credentials |
Desktop App
The Desktop App handles authentication automatically:
- Launch Reeve from Applications
- A browser window opens for sign-in
- Authenticate with any method above
- The app receives a session token and you're connected
You only need to sign in once — the session token is stored locally and refreshes automatically.
Cloud (Browser)
Go to app.meetreeve.com and sign in. Your session persists across browser tabs and restarts.
Team Access
Inviting Team Members
On Team ($120/mo) and Cloud plans, you can invite team members:
- Go to Settings in the Cockpit
- Click Team → Invite Member
- Enter their email address
- They receive an invitation email with a link to join
Team members get their own login and can access shared connectors, dashboards, and agents based on their role.
Roles
| Role | What they can do |
|---|---|
| Owner | Full access — billing, team management, all features |
| Admin | Manage connectors, agents, and settings (no billing) |
| Member | View dashboards, chat with agents, view data |
Session Tokens
After authentication, Reeve issues a session token — a secure UUID used for all API requests:
User → Sign in → Identity Provider → Session Token → All Reeve APIsSession tokens:
- Expire after 30 days of inactivity
- Can be revoked instantly from Settings
- Are opaque — they don't carry claims like JWTs, so revocation is immediate
Gateway Authentication
If you self-host or use the CLI, the local gateway uses a gateway token for API access:
{
"gateway": {
"auth": {
"token": "your-secret-token"
}
}
}The onboarding wizard generates this automatically. All requests to the gateway must include this token.
For details on gateway auth, see Gateway Authentication.
LLM Provider Keys
User authentication and LLM provider authentication are separate systems:
- User auth — Signs you into Reeve (handled by this page)
- LLM keys — Connects Reeve to AI model providers like Anthropic or OpenAI
On the Free and Pro plans, you bring your own API keys (BYOK). On Team and Cloud plans, managed keys are available.
See API Keys for setting up LLM provider authentication.
Security
- All authentication happens over HTTPS
- Passwords are hashed with industry-standard algorithms
- Rate limiting and brute-force protection are built in
- OAuth state tokens expire after 10 minutes (CSRF protection)
- Session tokens are revocable server-side without waiting for expiry
- CORS is configured for authorized domains only
For a deeper technical dive into Reeve's authentication architecture — including service-to-service auth, guest mode, and cloud vs. local auth differences — see the Authentication Overview.