Directus is serious about security, and takes every precaution to ensure your data is kept secure. Below are a few of the features we employ to safeguard your projects.
The API encrypts every Directus user's password as a hash using a strong one-way hashing algorithm called
CRYPT_BLOWFISH algorithm creates a 60 character long hash with a recognizable
$2y$ identifier. All hashes are generated with a random salt and a cost of
10. This cost determines the rounds of expansion used, so our default cost of
10 is equal to 210 (1,024) iterations — a good balance for most hardware.
Two-Factor Authentication (2FA)
2FA is individually enabled from each User's Profile. To do so, click on the "Enable 2FA" button, and scan the QR code in your authenticator app.
This QR code will only be shown to you once. After you save your profile, the next time you log in, you will be required to enter your One-Time Password (OTP) after your email and password.
Administrators can force 2FA at the User Role level.
Single Sign-On (SSO)
For Single Sign-On (SSO) to function properly, a user with a matching email address must already exist within
directus_users. If you would like to manage users externally then you would use our SCIM endpoints. The following SSO options are supported:
Google SSO Setup
Follow Google instructions on how to register an app and get the
If you want to use Google+ API, Read these steps on how to enable/disable Google+ APIs
We support google SSO with both Google+ (soon to be discontinued) and OpenID Connect.
Okta SSO Setup
- Sign Up: First create a Developer Okta account at https://developer.okta.com/signup/
- Get Email: Once you've created an account, a temporary password will be emailed to you.
- Log In: Activate your account by logging in with this temporary password and setting a new password.
- Create App: Create a new Okta web application by choosing Applications in the main menu and then clicking on "Add Application".
- Choose Web: Pick Web, click Next.
- Login Redirect: Make sure that Login Redirect URIs is set to
[your-directus-host]/[project-name]/auth/sso/okta/callback. For example
- Get Keys: Click on the newly created application and go to General > Client Credentials and you will see the
Client IDand the
Client Secret. Use these values for the Okta
client_secretin your API project configuration, eg:
- Base URL: The
base_urlcan be found under API in the main menu. You will see a list of Authorization Servers to pick from. The URL is under the column labeled
Okta is also capable of externally managing your Directus users, allowing for more unified user provisioning within your organization. This is accomplished by using our API's dedicated SCIM endpoints.