Authentication & access¶
Dezycro accounts use OIDC under the hood (Zitadel). For day-to-day humans, Google login is the recommended path. For programmatic access (CI, scripts, the Claude Code plugin), use a Personal Access Token (PAT).
Logging in¶
Visit app.dezycro.ai and click Continue with Google. On first sign-in, Dezycro creates your user record and (if you're the first member) provisions a new tenant (organization-level container) with a Default Workspace inside it.
Tenant vs Workspace¶
A common confusion — these are not the same:
- Tenant — the organization-level entity. Every user belongs to exactly one tenant. Billing, members, SSO, and PATs are scoped here.
- Workspace — a logical grouping inside a tenant. Tenants can have many workspaces (e.g. one per team). Projects, features, PRDs, tests, and verifier runs live inside workspaces.
When the docs say "your tenant," that's your organization. When they say "your workspace," that's the inner container.
SSO (Enterprise)¶
Enterprise tenants can configure their own OIDC identity provider (Okta, Auth0, Azure AD, etc.) so users sign in via the customer's own SSO. Contact sales to enable.
Personal Access Tokens (PATs)¶
PATs let you authenticate as yourself to the Dezycro public API and MCP server without going through the OAuth flow. Use them for:
- The Claude Code plugin (the MCP server reads
Authorization: Bearer dzy_…headers) - CI scripts that hit the public API
- Local tooling
Creating a PAT¶
- Sign in to app.dezycro.ai
- Open Settings → Personal Access Tokens
- Click Create token — give it a name and an optional expiry
- Copy the token immediately — it's shown once and can't be retrieved later
PAT format: dzy_<random>. Token strings are bearer-style; pass as Authorization: Bearer dzy_… on every request.
Token scopes¶
PATs inherit your role within each workspace — a viewer's PAT can only read; a workspace admin's PAT can write. Tenant-scope settings (members, billing) require the tenant owner role.
Revoking a token¶
From the same Personal Access Tokens page, click Revoke next to the token. Revocation is immediate — in-flight requests with that token start returning 401 on the next call.
Members & roles¶
Roles are scoped per workspace (a user can have different roles in different workspaces of the same tenant):
| Role | Permissions |
|---|---|
| Admin | Full control of the workspace — invite/remove members, configure settings, edit all projects |
| Editor | Create and edit projects, features, PRDs, TRDs, run verifier; cannot manage members |
| Viewer | Read-only access; can view but not modify any workspace content |
Tenant-level admin (manages members, billing, SSO config) is held by the tenant owner — usually the first user to sign up for the tenant. Contact support to transfer ownership.
Inviting members¶
From the workspace Members tab, click Invite and enter an email + role. The invitee gets an email link; on first sign-in they're added with the chosen role.
If the invitee isn't already in your tenant, the invitation creates a tenant-level membership for them too — with no workspace access until they accept individual workspace invitations.
Bring Your Own Key (BYOK) — Enterprise¶
Enterprise tenants can supply their own LLM provider credentials (Anthropic / OpenAI / Bedrock / Vertex / Azure OpenAI) so all AI calls go through your billing account, not Dezycro's.
Configure under Settings → LLM Configuration. Two test buttons (per-model + per-credential) let you verify connectivity before activating. Once activated:
- All tenant-facing LLM calls (PRD chat, TRD authoring, test generation, workbook sweeps) bill to your provider
- Token usage is no longer counted against your Dezycro plan's monthly cap
- A small share of system-wide embedding calls continues to use shared infrastructure
BYOK is included with Enterprise. Lower tiers can preview-test the dialog but cannot activate.
Audit logs¶
Every meaningful tenant action is logged: member invites, role changes, document edits, PAT creation/revocation, settings changes, SSO config changes, BYOK config changes.
View under Settings → Audit Log (visible to Tenant Owner and workspace Admins). Retention:
- Team plan: 90 days
- Enterprise: 1 year (or custom)
Filterable by actor, action type, date range, resource type. Exportable as CSV.