# Login and Logout

## Logging In and Out via the User Interface

To log in via the user interface (UI), open the [DNAnexus Platform login page](https://platform.dnanexus.com/login) and enter your username and password.

To log out via the UI, open your account menu and select **Sign Out**:

![Logging in and out](https://1612471957-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-L_EsL_ie8XyZlLe_yf9%2Fuploads%2Fgit-blob-93150595695c1b1e6727bb5b86fc38e9a6e75bce%2Fimage.png?alt=media)

## Logging In via the Command-Line Interface

To log in via the command-line interface (CLI), make sure you've [installed the `dx` command-line client](https://documentation.dnanexus.com/downloads). From the CLI, enter the command [`dx login`](https://documentation.dnanexus.com/helpstrings-of-sdk-command-line-utilities#login).

Next, enter your username, or, if you've logged in before on the same computer and your username is displayed, hit **Return** to confirm that you want to use it to log in. Then enter your password.

See below for directions on [using a token to log in](#using-tokens).

See the [Index of `dx` Commands page](https://documentation.dnanexus.com/helpstrings-of-sdk-command-line-utilities#login) for details on optional arguments that can be used with `dx login`.

## Logging Out via the Command-Line Interface

When using the CLI, log out by entering the command [`dx logout`](https://documentation.dnanexus.com/helpstrings-of-sdk-command-line-utilities#logout).

{% hint style="info" %}
If you use a token to log in, logging out invalidates that token. To log in again, you must [generate a new token](#generating-a-token).
{% endhint %}

See the [Index of `dx` Commands page](https://documentation.dnanexus.com/helpstrings-of-sdk-command-line-utilities#logout) for details on optional arguments that can be used with `dx logout`.

## Auto Logout

### Session inactivity

By default, the system logs out users after 15 minutes of inactivity. Exceptions apply to users logged in with an [API token](#using-tokens) that specifies a different session duration, or users in an org with a custom `autoLogoutAfter` policy.

{% hint style="info" %}
[Contact DNAnexus Support](mailto:support@dnanexus.com) for more information on setting a custom `autoLogoutAfter` policy for an org.
{% endhint %}

### Credentials change

The system automatically logs out users when they change their account credentials. This happens immediately after the credentials change is complete. Exceptions apply to users logged in with an [API token](#using-tokens).

The following actions are considered credentials changes:

* Change a password
* Reset a password
* Confirm a new email address after updating account email
* Enable or disable multi-factor authentication (MFA)

By default, changing your credentials does not automatically terminate any running jobs or active downloads and uploads that are authenticated on your behalf. When you change your credentials, you can choose **Revoke Active Tokens** to terminate these running jobs and active transfers. See details on [revoking API tokens](#revoking-a-token).

{% hint style="warning" %}
If you suspect your account may be compromised, we strongly recommend that you:

* Opt-in to terminate any active jobs authenticated on your behalf.
* Rotate your [API tokens](#using-tokens) after changing credentials. That is, delete your existing API tokens and create new ones.
  {% endhint %}

## Using Tokens

You can log in via the CLI, and stay logged in for a fixed length of time, by using an API token, also called an authentication token.

{% hint style="warning" %}
Exercise caution when sharing DNAnexus Platform tokens. Anyone with a token can access the Platform and impersonate you as a user. They gain your access level to any projects accessible by the token, enabling them to run jobs and potentially incur charges to your account.
{% endhint %}

### Generating a Token

To generate a token, open your account menu and select **My Profile**.

Next, click on the **API Tokens** tab. Then click the **New Token** button:

![Creating a new token](https://1612471957-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-L_EsL_ie8XyZlLe_yf9%2Fuploads%2Fgit-blob-ea1ffea00946fc7f79452b87acb57ea886f44eb4%2Flogin-and-logout-2%20\(1\).png?alt=media)

The **New Token** form opens in a modal window:

![New token form](https://1612471957-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-L_EsL_ie8XyZlLe_yf9%2Fuploads%2Fgit-blob-7dc0713d13b521ba715ddcd9f373d7dbe33f9da0%2Flogin-and-logout-4%20\(1\).png?alt=media)

Consider the following points when filling out the form:

* The token provides access to each project at the level at which you have access. See the [Projects page for more on project access levels](https://documentation.dnanexus.com/getting-started/key-concepts/projects#project-access-levels).
* If the token provides access to a project within which you have PHI data access, it enables access to that PHI data.
* Tokens without a specified expiration date expire in one month.

After completing the form, click **Generate Token**. The system generates a 32-character token and displays it with a confirmation message.

{% hint style="info" %}
Copy your token immediately. The token is inaccessible after dismissing the confirmation message or navigating away from the **API Tokens** screen.
{% endhint %}

### Using a Token to Log In

To log in with a token via the CLI, enter the command [`dx login --token`](https://documentation.dnanexus.com/helpstrings-of-sdk-command-line-utilities#login), followed by a valid 32-character token.

### Token Use Cases

Tokens are useful in multiple scenarios, such as:

* **Logging in via the CLI with single sign-on enabled** - If your organization uses [single sign-on](https://documentation.dnanexus.com/admin/single-sign-on), logging in via the CLI might require a token instead of a username and password.
* **Logging in via a script -** Scripts can use tokens to authenticate with the Platform.

{% hint style="warning" %}
When incorporating a token into a script, take care to set the token's expiration date such that the script has Platform access for only as long as necessary. Ensure as well that the script only has access to that project or those projects to which it must have access, to function properly.
{% endhint %}

### Revoking a Token

When you revoke API tokens, all running jobs and all active file uploads or downloads authenticated with those tokens are terminated immediately and fail with the [error `AuthError`](https://documentation.dnanexus.com/developer/apps/error-information#autherror). Any compute or egress charges incurred up to the point of termination remain billable to the account associated with those operations.

To revoke a token, navigate to the **API Tokens** screen within your profile on the UI. Select the token you want to revoke, then click the **Revoke** button:

![Revoking a token](https://1612471957-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-L_EsL_ie8XyZlLe_yf9%2Fuploads%2Fgit-blob-f421590cb593eff17620e3a95c5e45ef5471785a%2Flogin-and-logout-5%20\(1\).png?alt=media)

In the **Revoke Tokens Confirmation** modal window, click the **Yes, revoke it** button. The token is revoked, and its name no longer appears in the list of tokens on the **API Tokens** screen.

#### When to Revoke a Token

* **Token shared too widely** - Revoke a token if someone with whom you've shared the token should no longer be able to use it, or if you're not certain who has access to it.
* **Token no longer needed** - Revoke a token if a script that uses it is no longer in use, or if a group that had been using it no longer needs access to the Platform, or in any other situation in which the token is no longer necessary.

## Logging In Non-Interactively

Though logging in typically requires direct interaction with the Platform through the UI or CLI, non-interactive login is also possible. Scripts commonly automate both login and project selection.

Non-interactive login uses `dx login` with the `--token` argument. The [`dx select`](https://documentation.dnanexus.com/helpstrings-of-sdk-command-line-utilities#select) command automates project selection. For manual project selection, add the [`--noprojects`](https://documentation.dnanexus.com/helpstrings-of-sdk-command-line-utilities#login) argument to `dx login`.

## Two-Factor Authentication

DNAnexus recommends adding two-factor authentication to your account, to provide an extra means of ensuring the security of all data to which you have access, on the Platform.

With two-factor authentication enabled, you must enter a two-factor authentication code to log into the Platform and access certain other services. This code is a time-based one-time password valid for a single session, generated by a third-party two-factor authenticator application, such as Google Authenticator.

Two-factor authentication protects your account by requiring both your credentials and an authentication code. This prevents unauthorized access even if your username and password are compromised.

### Enabling Two-Factor Authentication

{% hint style="info" %}
DNAnexus recommends using a time-based one-time password (TOTP)–compliant authenticator application on your mobile device. Popular options include Google Authenticator, Authy, Microsoft Authenticator, and 1Password. Google Authenticator is a free application that's available for both Apple iOS and Android mobile devices. Get it on [Google Play](https://play.google.com/store/apps/details?id=com.google.android.apps.authenticator2) or from the [Apple App Store](https://apps.apple.com/us/app/google-authenticator/id388497605).

If you are unable to use a smartphone application, compatible two-factor authenticator applications that use the TOTP (time-based one-time password) algorithm exist for other platforms.
{% endhint %}

1. From your account menu, select **Account Security**.
2. In the **Two-Factor Authentication** section, click **Enable 2FA**.
3. Choose a TOTP-compatible authenticator application and click **Next**.
4. Enter your current Platform password and click **Next**.
5. Scan the provided QR code with your authenticator app. If you cannot scan it, enter the displayed text code manually into your app instead.
6. Enter the 6-digit code generated by your app and click **Next**.
7. Click **Print** or **Download** to save your one-time-use backup codes in a secure location.
8. Click **Finish & Log Out** to complete setup.

{% hint style="warning" %}
Save your backup codes before closing the setup dialog — they will not be accessible again after you close it. Store them in a secure location. Without backup codes and without access to your authenticator application, Platform login becomes impossible.

[Contact DNAnexus Support](mailto:support@dnanexus.com) if you lose both your codes and access to your authenticator application.
{% endhint %}

### Logging In with a Backup Code

If you lose access to your authenticator application, you can use a saved backup code to log in.

1. Navigate to the Platform login page and enter your username and password.
2. When prompted for your two-factor authentication code, enter one of your saved backup codes instead.

Each backup code can only be used once. Keep track of which codes you have used and store remaining codes securely.

{% hint style="warning" %}
If you lose access to both your authenticator application and your backup codes, you will not be able to log in to the Platform. [Contact DNAnexus Support](mailto:support@dnanexus.com) for assistance.
{% endhint %}

### Disabling Two-Factor Authentication

DNAnexus recommends keeping two-factor authentication enabled after activation. You can disable it manually, provided it has not been strictly enforced by your organization admin.

{% hint style="warning" %}
Turning off two-factor authentication logs you out of all active web sessions immediately and is treated as a [credentials change](#credentials-change). If you re-enable 2FA later, you will need to reconfigure your authenticator application by scanning a new QR code or entering a new secret key, and saving a new set of backup codes.
{% endhint %}

1. From your account menu, select **Account Security**.
2. In the **Two-Factor Authentication** section, click **Turn Off**.
3. In the confirmation dialog, enter your current password and either the 6-digit code from your authenticator app or a backup code.
4. (Optional) Check **Revoke Active Tokens** to immediately terminate all running jobs and active file uploads and downloads.
5. Click **Turn Off**.

{% hint style="info" %}
If you used a backup code to log in to the Platform, you need a second backup code to confirm disabling 2FA in step 3, because each backup code can only be used once.
{% endhint %}

### Troubleshooting Two-Factor Authentication

Code validation failures are most commonly caused by a time-desynchronization issue on your mobile device. This can occur in two ways:

* **Code invalid during setup** — The Platform reports an invalid code immediately after scanning the QR code during initial 2FA setup.
* **Codes stopped working** — You previously set up 2FA successfully, but newly generated codes are no longer accepted at login.

To resolve either issue, enable **Automatic Date and Time** in your device's system settings and restart your phone. This synchronizes your device clock with the server time required for the TOTP algorithm to generate valid codes.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://documentation.dnanexus.com/user/login-and-logout.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.