Authentication
Secure authentication options for the GitScrum Chrome Extension.
Sign In Methods
The extension supports multiple authentication methods:
| Method | Description |
|---|---|
| Email/Password | Traditional login with your GitScrum credentials |
| MFA | Two-factor authentication with authenticator apps |
| Google OAuth | Sign in with your Google account |
| GitHub OAuth | Sign in with your GitHub account |
| Facebook OAuth | Sign in with your Facebook account |
Email and Password
Sign In
- Click the GitScrum extension icon
- Enter your email address
- Enter your password
- Click Sign in
Password Requirements
Use the same password you use on the GitScrum web app. Password reset is available at app.gitscrum.com.
Forgot Password
- Click Forgot password? on the login screen
- Enter your email address
- Click Send reset link
- Check your email for the reset link
- Reset your password on the web app
- Return to the extension and sign in
Multi-Factor Authentication
If MFA is enabled on your account, an additional step is required:
Setup
MFA is configured in your GitScrum account settings on the web app:
- Log in to app.gitscrum.com
- Go to Profile → Security
- Enable Two-factor authentication
- Scan the QR code with your authenticator app
- Enter the verification code to confirm
Sign In with MFA
- Enter your email and password
- The extension shows a code input field
- Open your authenticator app
- Enter the 6-digit code
- Click Verify
Supported Authenticator Apps
| App | Platform |
|---|---|
| Google Authenticator | iOS, Android |
| Authy | iOS, Android, Desktop |
| Microsoft Authenticator | iOS, Android |
| 1Password | iOS, Android, Desktop |
| Bitwarden | iOS, Android, Desktop |
Any TOTP-compatible authenticator app works.
Code Timing
- Codes refresh every 30 seconds
- If a code fails, wait for the next code
- The authenticator shows a countdown timer
OAuth Providers
- Click the Google button
- A popup opens with Google account selection
- Choose your Google account
- Grant permission to GitScrum
- The popup closes and you are signed in
Requirements:
- Google account connected in GitScrum profile settings
- Popups allowed for the extension
GitHub
- Click the GitHub button
- A popup opens with GitHub authorization
- Click Authorize
- The popup closes and you are signed in
Requirements:
- GitHub account connected in GitScrum profile settings
- Popups allowed for the extension
- Click the Facebook button
- A popup opens with Facebook login
- Log in to Facebook if needed
- Grant permission to GitScrum
- The popup closes and you are signed in
Requirements:
- Facebook account connected in GitScrum profile settings
- Popups allowed for the extension
Connecting OAuth Providers
Before using OAuth in the extension:
- Log in to app.gitscrum.com
- Go to Profile → Connected accounts
- Click Connect next to your preferred provider
- Complete the authorization flow
- The account is now linked
Session Management
Session Duration
- Sessions remain active for 30 days
- Activity extends the session
- Background token refresh keeps you signed in
Sign Out
- Click the GitScrum extension icon
- Click the Sign out button in the header
- Your session is terminated
- Authentication data is cleared
Automatic Sign Out
You are signed out automatically when:
- Your session expires
- Your password is changed
- Your account is suspended
- You sign out from the web app with "Sign out everywhere"
Token Storage
How Tokens Are Stored
The extension stores authentication tokens in Chrome's local storage:
| Data | Storage |
|---|---|
| Access token | chrome.storage.local |
| Refresh token | chrome.storage.local |
| User preferences | chrome.storage.local |
Security Measures
| Measure | Description |
|---|---|
| Base64 obfuscation | Tokens are encoded before storage |
| No plain text | Sensitive data is never stored as plain text |
| Local only | Data never syncs to cloud |
| Cleared on sign out | All data removed when you sign out |
Clearing Data
To clear all extension data:
- Right-click the GitScrum icon
- Click Manage extension
- Click Clear site data
- Confirm the action
This signs you out and removes all stored data.
Security Best Practices
Recommendations
- Enable MFA — Adds a second layer of security
- Use OAuth — Leverages provider security
- Regular sign out — On shared computers
- Keep browser updated — Security patches
What the Extension Does NOT Do
| Action | Status |
|---|---|
| Store passwords | Never |
| Access other tabs | Only when you click capture |
| Run in background | Never |
| Track browsing | Never |
| Sync to cloud | Never |
Troubleshooting
OAuth Popup Blocked
- Check browser popup blocker settings
- Look for a blocked popup indicator in the address bar
- Allow popups from the extension
- Try the OAuth button again
MFA Code Invalid
- Check your device clock is accurate
- Wait for the next code (30 seconds)
- Verify you are using the correct authenticator entry
- Try entering the code immediately after it refreshes
Session Expired
- Your session timed out after inactivity
- Click the extension icon
- Sign in again
Account Locked
Too many failed sign-in attempts locks your account:
- Wait 15 minutes
- Reset your password if needed
- Contact support if the issue persists
Next Steps
- Getting Started — Complete setup guide
- Task Creation — Create tasks from browser
- Overview — Extension overview