
This feature is available on the Scale plan. View all plans
You can easily authenticate users on your portal with your existing system by implementing a simple endpoint that generates a JWT and redirects back to Productlane.
Activate SSO
Head to the SSO settings and activate SSO by specifying the URL of the endpoint you plan on using. A signing secret is generated and shown once in a read-only field. Click Copy and close to save it securely. It will not be shown again.
Implement token endpoint
import jwt from "jsonwebtoken"
import { NextApiRequest, NextApiResponse } from "next"
export default function handler(
req: NextApiRequest,
res: NextApiResponse,
) {
// replace with your "getSession"
const session = { email: "[email protected]", name: "Raphael" }
const token = jwt.sign(
{
email: session.email,
name: session.name,
imageUrl: "", // optional
orgId: "", // optional, PL Org ID
linearOrgId: "", // optional, Linear Customer Id
tokenValidity: 15 // optional, in minutes
},
"pl_sso_...",
)
const redirect = req.query.redirect ? "&redirect=" + req.query.redirect : ""
// custom domain example
res.redirect("https://support.example.com/api/portal/sso?token=" + token + redirect)
// subdomain example
// res.redirect("https://example.productlane.com/api/portal/sso?token=" + token + redirect)
}Enable SSO
If your endpoint is ready, enable the Enable SSO toggle in the SSO settings. This starts routing traffic to your endpoint, so make sure it is ready before enabling.
Once SSO is active you can control which parts of the portal require authentication.
Turn on Make entire portal private to require SSO for every section. When this is enabled, the portal is automatically excluded from search engine indexing (robots.txt, sitemap, and noindex meta tags are all set).
If you want only specific sections to require login, leave Make entire portal private off and use the individual section toggles:
Toggle | Section protected |
|---|---|
Make Docs private | Docs / Help Center |
Make Feature requests private | Roadmap / Feature requests |
Make Changelog private | Changelog |
Make Support Portal private | Support portal |
Private sections are excluded from search engine indexing individually (robots.txt disallow rules, sitemap omission, and noindex meta tags).
If your secret is compromised or you need to cycle credentials, use the Rotate secret button in the Credentials section of the SSO settings.
The current secret stops working immediately when you rotate.
Update your SSO endpoint with the new secret before rotating to avoid any login interruption.
By default, Productlane automatically assigns users to an organisation based on their email domain. When authenticating via SSO, you can override this and manually assign a user to a specific organisation using these optional JWT fields:
orgId - the Productlane Organisation ID
linearOrgId - the Linear Customer ID
This is useful when a user's email domain does not match their organisation, or when you need explicit control over organisation assignment.
Productlane automatically passes a redirect parameter to your endpoint when a user tries to access a specific page before logging in. Forward it in your redirect to send users back to where they came from.
// Forward the redirect param so users land on the page they originally visited
const redirect = req.query.redirect
res.redirect(
`https://example.productlane.com/api/portal/sso?token=${token}${redirect ? `&redirect=${redirect}` : ''}`
)