Skip to main content
Terminus Hub has two ways in, for two different jobs. People sign in to the web app with an email and password (or single sign-on, if their account uses it), which starts a browser session. Software talks to the REST API with an API key, a secret token sent on every request. This page covers signing in; for the API in depth, see the API reference for authentication.

Sign in to the web app

Signing in is a two-step, email-first flow:
1

Enter your email

On the sign-in screen, type your email and click Continue. Terminus checks whether your email’s domain uses single sign-on.
2

Enter your password, or continue with SSO

If your domain uses a password, the password field appears: type it and sign in. If your domain enforces SSO, Terminus sends you to your identity provider to sign in there instead.
A successful sign-in starts a secure browser session. If you belong to more than one account, you pick which one to work in after signing in; if you belong to exactly one, Terminus opens it for you.
Creating an account, confirming your email, resetting a forgotten password, and unlocking a locked account are all part of this flow. You must confirm your email before you can sign in. The first time you sign up, Terminus also creates a workspace named Main for you.

Single sign-on

If an account has SSO configured, members of its email domain sign in through their identity provider rather than with a password. Account owners and admins can still sign in with a password even when SSO is enforced, so they always have a way in. Setting up SSO is an account-level configuration.

If you cannot sign in

For security, a wrong password, an unknown email, and a temporarily locked account all show the same message. After several failed attempts an account locks for a short time. Wait a few minutes and try again, or use the unlock link Terminus emails you.
You cannot sign in until your email is confirmed. Use the resend option on the check-your-email screen to get a fresh confirmation link.
Your account’s domain may enforce single sign-on. Sign in through your identity provider instead. If you are an owner or admin, password sign-in still works for you.

Authenticate API requests

For anything programmatic (integrations, scripts, automation), use an API key instead of a session. A key is a secret bearer token that you send in the Authorization header on every request. 
curl https://hub.terminus.app/api/v1/records \
  -H "Authorization: Bearer thub_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
Keys are account-scoped, not tied to a person, so they keep working after the teammate who created one leaves. A key can do whatever its account can do through the public API; it cannot reach admin-only endpoints, and it can only ever read or write its own account’s data.
An API key is shown in full only once, at the moment you create it. Terminus stores only a secure hash of it and can never display it again. Copy it into a secrets manager right away. If you lose a key, delete it and create a new one.

Create and manage keys

API keys are managed through the API itself. Create one by sending its name to the keys endpoint while authenticated: 
curl -X POST https://hub.terminus.app/api/v1/api_keys \
  -H "Content-Type: application/json" \
  -d '{"name": "CI pipeline"}'
The response includes the full key one time. Listing keys afterward returns each key’s name and when it was last used, but never the secret itself. To revoke a key, delete it; the token stops working immediately. Only account owners and admins can create or delete keys. For the full request and response shapes, error codes, and rate limits, see the API reference for authentication and the API keys reference.
Keep keys out of client-side code and version control. Load them from an environment variable or a secrets manager, and rotate them on a schedule (create the new key, switch your services over, then delete the old one).

API authentication reference

Header format, error responses, and account scoping for API key auth.

API keys

Create, list, and revoke the keys for your account.

API overview

Base URL, response shapes, and which resources the public API covers.

Quickstart

Sign up and run the full Terminus Hub flow.