Are you an LLM? Read llms.txt for a summary of the docs, or llms-full.txt for the full context.
Skip to content

Email & Password

:::warning Not Planned Email/password authentication is deferred indefinitely in Aero2. Passwordless email code login covers the same use case without the operational cost of password storage, hashing, lockout tuning, and reset flows. :::

Why we don't ship password auth

Aero2 is passwordless-first. The shipped alternatives — email code login (a 6-digit code emailed on demand) and OAuth/OIDC social login — give users a sign-in flow that is:

  • Simpler — no passwords to choose, remember, or reset.
  • More secure — there is no password hash to leak, no password to phish, and no reuse risk across services.
  • Cheaper to operate — no password reset funnel, no breach-response runbook tied to hash leaks.

If you specifically need password authentication for an integration that cannot use OAuth or one-time codes, open a discussion — we will reconsider the trade-off if there's a concrete use case we haven't accounted for.

Recommended alternatives

  • Email Code (Passwordless) — users receive a 6-digit code via email and submit it to sign in. No password required. This is the default email-based flow today.
  • Social Login (OAuth/OIDC) — sign in with GitHub, Google, or any OAuth2/OIDC provider.
  • Passkeys (WebAuthn) — phishing-resistant primary authentication, planned in Phase 2 §11.