Earlier this month, as part of our series on the new platform architecture, we set out how authentication now works across the Simwood API: hashed API keys with granular scopes for machines, OIDC-issued tokens for humans, and Basic Auth heading for a dignified retirement. API keys went live first. Today we can confirm the second piece: portal login is moving to our new identity platform, and the switchover is imminent.
Here's the headline: you shouldn't notice anything.
What's actually changing
Under the hood, this is one of the more significant changes we've made to the portal in years. Login moves from our own custom flow to an industry-standard OpenID Connect service running at auth.simwood.com, built on Keycloak - the same battle-tested open-source identity platform trusted by banks, governments, and Fortune 500s alike.
When the switch happens, the login page will look a little different (same Simwood branding, new address), and that's the extent of it:
- Your email and password work exactly as before. No reset, no re-registration, no "welcome to the new system" email demanding action.
- Your two-factor authentication carries over. If you use an authenticator app today, the same app and the same codes keep working.
- Everything in the portal behaves as it did. Same features, same account, same permissions.
In our earlier post we said the migration would involve an invitation to set a new password. We've since done better than that: credentials migrate transparently, and your existing password is seamlessly upgraded to the new platform the first time you log in. The best migrations are the ones you never notice, and we've engineered this one to be exactly that.
Why bother, then?
Because what you don't see matters, and because of what it unlocks.
The new flow is built on the OAuth 2.0 Authorization Code flow with PKCE - today's standard for browser-based login - with short-lived access tokens, refresh tokens in httpOnly cookies the browser's JavaScript can never read, and central session management so a revoked login is revoked everywhere, immediately. Your portal session now carries the same granular scopes as our API keys, so one consistent permission model governs every request that touches the platform, whether it came from a script or a person.
Managing your login remains self-service, now through a dedicated account console - change your password, manage two-factor authentication, and, new this time, review and revoke your active sessions, all without a support ticket.
But the bigger reason is where this takes us next.
What it unlocks
Our old login flow was ours alone, which meant every improvement to it was ours to build alone. Standing on an open standard changes the economics entirely. On the roadmap, in rough order:
- Passkeys. Passwordless login using the biometrics already on your device - Face ID, Touch ID, Windows Hello, or a hardware key. Phishing-resistant by design, and faster than typing a password ever was. This is the one we're most excited about, and the new platform supports it natively.
- Sign in with the identity you already have. Google, Microsoft, and GitLab to begin with - handy for teams who manage access centrally and would rather not maintain another password at all.
- Finer-grained roles for your team. Today it's owners and users; the same scope model that powers our API keys lets us offer more precise roles over time, so you can grant a colleague exactly the access they need and nothing more.
None of these were realistic on the old system. All of them are natural extensions of the new one.
What you need to do
Nothing. That's the point.
The switchover is imminent. When it lands, log in as normal; if you're curious, the only tell will be the address bar reading auth.simwood.com for a moment while you sign in. As ever, if anything doesn't behave as promised, our support team wants to hear about it - but we've tested this one to the point where we'd be surprised.
We said earlier in July that authentication was being done right. This is what that looks like when it reaches the portal: a foundation you can't see, carrying features you'll soon be very glad of. Watch this space!