Application Settings
Each application in Aero2 has configurable settings that control authentication behavior, security policies, and access control. MFA policy is currently shipped; the other settings below describe the planned model.
Settings
Signup Mode
Control who can create accounts in your application:
| Mode | Behavior |
|---|---|
| Open | Anyone can register for an account |
| Invite only | New users must be invited by an admin or existing member |
| Restricted | Only users with email addresses matching an allowed domain list can register |
MFA Policy
Set the multi-factor authentication requirement for your application. See Configure MFA for an Application for end-to-end setup steps.
| Policy | Behavior |
|---|---|
off (default) | MFA setup endpoints are disabled |
optional | Users can enable MFA for their own accounts |
required | All users must configure MFA before they can sign in |
A companion setting, mfa_remember_device_days (default 30), controls how long a trusted device may skip the MFA challenge. Set to 0 to disable.
Session TTL
Configure how long user sessions last before they expire.
Allowed Email Domains
Restrict account registration to specific email domains. For example, only allow @yourcompany.com addresses to sign up.
Blocked Email Domains
Block registrations from specific email domains. Commonly used to block disposable email providers (e.g., mailinator.com, tempmail.com).
Authentication Methods
Control which authentication methods are enabled for your application:
| Method | Description |
|---|---|
| Social login | Sign in with OAuth/OIDC providers |
| Password | Email and password authentication |
| Magic link | Passwordless email sign-in |
| Passkey | WebAuthn/biometric authentication |
You can enable multiple methods simultaneously. At least one method must be enabled at all times.