DuckVizBeta
Product

Account

Sign in, reset a password, and manage personal access tokens.

DuckViz authentication is run by Supabase. You have three ways to sign in — email + password, email magic link via invite, and Google OAuth. Every flow drops you at /auth/callback once the session is ready, then routes you to /home.

Sign up & sign in

Email + password

  • Sign up at /auth/signup — DuckViz sends a confirmation email.
  • Until you click the link, /auth/pending shows a "check your email" screen. Sign-in attempts route here automatically — unconfirmed accounts can't reach the product.
  • Click the link → /auth/callback/home.

Google OAuth

  • Click Sign in with Google → Google sign-in popup → /auth/callback.
  • No password needed; the Google-linked email becomes your account identity.

Invite-only (referral)

When a friend invites you (Invite a Friend), the confirmation link drops you at /auth/set-password instead of /home. Pick a password, submit, and you're in. You skip the standard signup form entirely.

Password reset

  • Open /auth/reset → enter email → DuckViz sends a recovery link.
  • Clicking the link takes you to /auth/set-password to choose a new password — you won't be auto-routed to /home in a half-logged-in state.
  • Submit a new password → you're signed in.

Email confirmation edge cases

Confirmation links expire in 24 hours. If yours doesn't work:

  1. Go to the sign-in page
  2. Enter your email → click Resend confirmation
  3. The new email invalidates the old link

Already confirmed

If you click a confirmation link from an already-confirmed account, DuckViz routes you to /home without error — clicking twice is safe.

Cross-tab after confirmation

If you confirm in a second tab, the first tab's /auth/pending screen flips to /home automatically — no manual refresh needed.

Personal Access Tokens (PAT)

For server-to-server calls (the SDK, the CLI outside the browser bridge, CI jobs), mint a PAT at /settings/tokens.

Format

dvz_live_<24 base62>
  • dvz_live_ prefix is fixed (a dvz_test_ form may arrive later).
  • 24 random base62 characters — ~143 bits of entropy.
  • Shown exactly once at mint time. Copy it immediately; DuckViz cannot recover it — only revoke and re-mint.

For storage and verification details, see Token security.

Using a PAT

curl -H "Authorization: Bearer dvz_live_…" \
  https://app.duckviz.com/api/credits/balance

Every AI endpoint accepts a PAT or a session cookie, with bearer-first precedence: a tab that is both signed in and sending a bearer header will auth as the token, not the user. A handful of cookie-only routes (token management, referrals, billing, feedback, account settings) reject PATs entirely so a stolen token cannot mint more tokens or move money. Full list: API endpoints.

Revoking

Go to /settings/tokensRevoke. The next request with that token fails 401 immediately — no stale-cache window.

Per-token accounting

DuckViz tracks credit history per account, not per token. If you want to attribute usage to specific CI jobs or servers, mint a separate token for each, then aggregate the usage history client-side.

Billing & Plans

How credit packs, AI quality tiers, and Paddle checkout work in DuckViz.

Invite a Friend

Send DuckViz invites and earn 50 credits each time a friend confirms their email.

On this page

Sign up & sign inEmail + passwordGoogle OAuthInvite-only (referral)Password resetEmail confirmation edge casesInvite link expired (24h)Already confirmedCross-tab after confirmationPersonal Access Tokens (PAT)FormatUsing a PATRevokingPer-token accounting