Team sign-in
Let your whole team edit with docs.dev accounts — invite members, control access centrally.
Team sign-in connects your site's editor to a docs.dev team: editors sign in with their own docs.dev account (GitHub identity), and only people you've invited can get in. No shared PINs, no per-person GitHub repo access to manage — invite someone once and they can edit; remove them once and they can't.
Set it up
-
Create your account at your docs.dev dashboard — sign in with GitHub. Your team is created automatically.
-
Register your site: add its name and its sign-in callback URL — exactly your deployed site's origin plus
/api/admin/sso/callback, e.g.https://docs.example.com/api/admin/sso/callbackYou get back a Site ID.
-
Configure your site: in your repo's
wrangler.jsonc, set"DOCSDEV_SITE_ID": "site_…" // from the dashboardCommit and push — your CI redeploys with team sign-in enabled.
-
Invite your team from the dashboard by email. Invitees accept, sign in with GitHub, and can immediately use your site's
/admin.
Roles
- Admin (the team owner): manages members and registered sites, and can edit.
- Editor (everyone you invite): can edit and publish.
The security model
Team sign-in is a standard OAuth 2.0 authorization-code flow with PKCE, and it's deliberately strict:
- Exact-match redirect whitelist. Sign-ins can only ever be sent back to the callback URL registered for your site — exact string match, HTTPS only, no wildcards. A look-alike domain can't borrow your sign-in.
- Membership is checked centrally before a sign-in completes. Someone who isn't on your team gets a clear "ask an admin to invite you," never a session.
- No secrets on your site. The flow uses PKCE, and your site verifies sessions against docs.dev's published public keys (JWKS). Nothing confidential ships in your repo or your Worker.
- Sessions are short-lived signed tokens carrying the editor's identity and role — which is also how draft attribution works.
Team sign-in is exclusive
When DOCSDEV_SITE_ID is set, it is the only way in: the PIN and GitHub
sign-in paths are disabled so a leftover credential can't bypass your team's
membership list.
What stays yours
Your published site never depends on docs.dev to serve a page — the sign-in check happens only when an editor signs in. If docs.dev is unreachable, readers notice nothing, and already-signed-in editors keep working until their session expires. And if you ever leave, remove one variable and switch to standalone sign-in — everything else keeps working.