Skip to main content
Delino provides secure authentication, offering safe access to the platform through multiple authentication methods. This guide covers authentication mechanisms, security features, and best practices.

Authentication Methods

Delino supports two primary authentication methods:

Web Authentication

Dashboard Access
  • Email/password login
  • Social login support
  • Automatic session refresh
  • Session management
  • Secure token-based authentication

API Keys (PATs)

Programmatic Access
  • Used for API and service integration
  • Personal Access Tokens
  • Fine-grained scope permissions
  • Restricted to public APIs only
  • No dashboard access

Authentication Flow

How Authentication Works

Delino’s authentication flow:
1

User Initiates Login

User navigates to Delino and clicks “Sign In”
2

Authentication Page

User directed to authentication page:
  • Email/password login
  • Social login options
3

Credential Verification

System verifies credentials and validates user identity
4

Session Established

User redirected back to Delino with active session:
  • User record created/updated
  • Session established
  • Dashboard access granted

API Key Authentication

Personal Access Tokens (PATs)

API keys provide secure programmatic access:
API keys are restricted to public APIs only. They cannot access internal or admin endpoints.
Key Features:
  • Created through Delino console
  • Securely managed backend
  • Fine-grained scope permissions
  • Optional expiration (up to 100 years)
  • Token value shown only once at creation
Authentication Flow: 
API Request
├── Header: Authorization: Bearer deli_...
├── Extract token from header
├── Validate token
├── Verify scopes for requested operation
└── Grant/Deny access

Scope-Based Authorization

API keys use scopes to control access: Format: service:resource:action Examples:
  • * - Full access (development only)
  • service:* - All operations for a specific service
  • service:resource:action - Specific operation only
See API Key Scopes for complete reference.

Public API Restriction

API keys (PATs) can only access public APIs. Private and admin endpoints require web session authentication.
Public APIs (accessible with API keys):
  • Service-specific operations
  • Usage reporting
  • Resource management within scope
Private APIs (require web session):
  • Admin operations
  • User management
  • System configuration
  • Billing portal access (except via specific scope)

API Key Security

API keys generated securely:
  • Cryptographic random suffix (24 bits entropy)
  • Unique internal names
  • Collision-resistant
  • Unpredictable values
API keys stored securely:
  • Token value hashed
  • Only shown once at creation
  • Database stores hash only
  • Cannot be recovered if lost
API keys transmitted securely:
  • HTTPS only
  • Authorization header
  • Never in URL parameters
  • Never in logs
API keys validated on every request:
  • Token signature check
  • Expiration verification
  • Scope validation

Session Management

Web Sessions

Dashboard sessions managed automatically:
Session Duration
duration
Typically 7-30 days with automatic refresh
Idle Timeout
duration
Configurable per organizationDefault: 30 minutes of inactivity
Concurrent Sessions
number
Multiple sessions allowedEach device maintains separate session

Session Features

  • Auto Refresh: Sessions automatically refreshed before expiration
  • Remember Me: Optional extended session duration
  • Multiple Devices: Access from multiple devices simultaneously

Security Best Practices

For your account:
  • Minimum 12 characters
  • Mix of letters, numbers, symbols
  • Avoid common patterns
  • Use password manager
Two-factor authentication:
  • TOTP (Google Authenticator, etc.)
  • SMS verification (if enabled)
  • Backup codes
  • Required for admin accounts
Regular API key rotation:
  • Every 90-365 days
  • After team member departure
  • On security incident
  • Document rotation schedule
Review active sessions:
  • Check for unknown devices
  • End inactive sessions
  • Review login history
  • Report suspicious activity
Apply principle of least privilege:
  • Minimum required scopes for API keys
  • Appropriate team roles
  • Regular permission audits
  • Remove unnecessary access
Protect authentication credentials:
  • Never share passwords
  • Never commit API keys to git
  • Use environment variables
  • Rotate on exposure

Troubleshooting

Cannot Log In

If you cannot log in to Delino:
  1. Verify Email: Ensure using correct email address
  2. Reset Password: Use password reset function
  3. Browser Issues: Clear cache and cookies
  4. Contact Support: If problem persists

Session Errors

If you experience session issues:
  1. Session Expired: Log out and log in again
  2. Clear Session: Clear browser cache and cookies, then re-authenticate
  3. Contact Support: If problem persists

API Key Not Working

If API key authentication fails:
  1. Check Expiration: Verify key hasn’t expired
  2. Verify Scopes: Ensure key has required permissions
  3. Public API: Confirm endpoint is public (not admin)
  4. Header Format: Use Authorization: Bearer deli_...
  5. Test Key: Try simple API call to verify

Next Steps

API Keys

Learn how to create and manage API keys

Teams

Understand team-based authentication