TenancyEngine

Appearance

MFA & notifications

Summarized from IDENTITY-MFA-NOTIFICATIONS-AND-BRANDING.md. Canonical auth spec — phases P1–P4 done, P5 partial, P6 done (MVP).

Locked decisions

TopicDecision
Email verificationRequired at signup (all human accounts)
MFA enrollmentTOTP (authenticator app) required after grace period
MFA at loginUser may complete challenge via TOTP, SMS OTP, or email OTP (configurable preference)
MFA grace period7 days after signup before MFA is mandatory
Remember deviceAllowed (~30 days), then full MFA again
TE platform billing brandTenancyEngine (billing.tenancyengine.com, @tenancyengine.com email)
TenaBill-only merchantsTenaBill default brand; org may configure custom domain
SendGridSubaccount per TenaBill merchant; send from merchant subdomain by default
Human auth UIaccount.tenancyengine.com (and env variants)
OIDC issuer (machine)auth.saasruntime.com — unchanged in SDKs and APIs
Dev notificationsMailpit SMTP; dev SMS via API log lines

Domain map (human-facing)

SurfaceProduction hostAudience
TE marketingtenancyengine.comPublic
TE consoleconsole.tenancyengine.comISV / platform operators
Account / MFA / securityaccount.tenancyengine.comAll OIDC users
TE billing portalbilling.tenancyengine.comISVs paying for TE
TenaBill merchant consoleconsole.tenabill.comTenaBill merchants
TenaBill customer portalportal.tenabill.com or merchant CNAMEEnd customers

Signup & MFA flows

Signup methods

  • Email + password (with email verification before full access)
  • Email magic link
  • Google / Microsoft (social)
  • SMS-assisted signup optional later

Post-signup

  1. User has 7-day grace — can use product with verified email only.
  2. Before grace ends (or on day 8), user must enroll TOTP on account.tenancyengine.com.
  3. User sets preferred login challenge: TOTP (default), SMS, or email OTP.
  4. Optional: enroll SMS phone and/or backup codes.

Every login (after MFA enrolled)

  1. Primary auth (password, magic link, or social).
  2. MFA challenge via preferred method (TOTP / SMS / email OTP).
  3. Optional "remember this device" (30 days).
  4. Redirect to originating client (console.tenancyengine.com, app, console.tenabill.com, etc.).

Audit events

Log email.verified, mfa.enrolled, mfa.challenge, login.success, login.failed, social.linked, device.remembered.

Security UI by surface

SurfaceSecurity capabilities
Account hubEmail verification, TOTP QR enrollment, SMS phone, preferred MFA method, backup codes, linked social accounts, active sessions, change password
TE consoleSettings → Security (deep-link to account hub); Billing → billing.tenancyengine.com
TenaBill merchant consoleSettings → Security; branding → custom domain / SendGrid subaccount status
TE billing portalInvoices, payment methods; step-up MFA for payment changes

Email & SendGrid branding

Platform (TenancyEngine merchant on TenaBill)

TenaBill standalone merchant

  1. Create TenaBill Merchant on signup
  2. Provision SendGrid subaccount (API) for merchant
  3. Default sending domain: {merchant-slug}.mail.tenabill.com
  4. Merchant console → Branding: logo, colors, optional custom domain
  5. Show "Powered by TenaBill" only when no custom domain and merchant is not a platform white-label merchant

Implementation phases

PhaseDeliverableStatus
P1TenancyPlatform.NotificationsIEmailSender, ISmsVerifier; Mailpit devDone
P2Email verification, account hub, TOTP enrollment, 7-day graceDone
P3SMS + email OTP challenge providers (Twilio + SendGrid)Done (MVP)
P4Google + Microsoft external login + post-login MFADone (MVP)
P5OIDC clients: TE console, TenaBill console; account proxyPartial
P6TenaBill SendGrid subaccount on merchant signupDone (MVP)
P7White-label billing.tenancyengine.com + TE SendGrid templatesPlanned
P8Customer portal magic link via merchant-branded SendGridPlanned

Local testing

See Local development for Mailpit, MFA enrollment URLs, and OIDC test flows.

TenancyEngine platform documentation

Copyright © TenancyEngine