Skip to main content

Documentation Index

Fetch the complete documentation index at: https://cosmo-docs.wundergraph.com/llms.txt

Use this file to discover all available pages before exploring further.

Namespace login methods let you control which login methods can access each namespace in your organization. A user who authenticates through a login method that a namespace does not allow cannot see or act on that namespace or the graphs inside it. This is useful when different environments must be reached through different identities. Map your production namespace to a production SSO app and your staging namespace to a staging app, and a user who signs in through the staging app no longer has access to production.

Login methods

A namespace can be mapped to any combination of the following:
  • Password: email and password login.
  • Google: Google social login.
  • GitHub: GitHub social login.
  • SSO apps: each OIDC provider you have connected. Every connected app is a separate login method, so you can allow one app and not another. See SSO for how to connect providers.

How the gate works

The mapping is default-open and works per namespace:
  • A namespace with no configured login methods is open to every login method.
  • A namespace with one or more configured login methods is restricted to exactly those methods. Every other login method is denied.
The restriction applies to both visibility and actions. A user whose login method is not allowed for a namespace does not see it in lists and cannot read from or write to it. The gate is based on how the user authenticated, not on their role, so it applies to all members including organization admins.
API keys are never gated. A request authenticated with an API key has access to every namespace regardless of the mappings. Use API keys for CI and automation that must reach all environments.

Configure mappings

Only organization admins can view and change namespace login methods.
1
Connect the SSO providers and enable the social logins you intend to use. See SSO.
2
Navigate to Namespace SSO.
3
Add a row for each namespace you want to restrict, then select the login methods allowed for it. Namespaces you do not add stay open to all login methods.
4
Save. The mappings apply on each user’s next request.
The gate applies to admins too, so this page only lists the namespaces your current login method can access. If you signed in through the staging SSO app, you see and configure only the namespaces that app can reach; namespaces reachable only through other login methods are hidden from the list and the namespace selector. Sign in through the relevant login method to manage those.

Behavior

  • Reopening a namespace: remove all of a namespace’s login methods to make it open to every method again.
  • Deleting an SSO provider: when you delete a connected provider, it is removed from every namespace mapping. A namespace that allowed only that provider becomes open again.
  • Unmapped namespaces: namespaces created after you configure mappings start open until you add them.

Example

An organization has a production and a staging namespace, a “Production” SSO app, and a “Staging” SSO app.
NamespaceAllowed login methods
productionProduction SSO
stagingStaging SSO, Password
default(unmapped, open to all)
A user who signs in through the Staging app sees staging and default, but not production. A user who signs in with a password sees staging and default. An API key sees all three.