Login and Logout
Learn how to log into and out of the DNAnexus Platform, via both the user interface and the command-line interface. Learn how to use tokens to log in, and how to set up two-factor authentication.
Logging In and Out via the User Interface
To log in via the user interface (UI), open the DNAnexus Platform login page and enter your username and password.
To log out via the UI, open your account menu and select Sign Out:
Logging In via the Command-Line Interface
To log in via the command-line interface (CLI), make sure you've installed the dx command-line client. From the CLI, enter the command dx login.
Next, enter your username, or, if you've logged in before on the same computer and your username is displayed, hit Return to confirm that you want to use it to log in. Then enter your password.
See below for directions on using a token to log in.
See the Index of dx Commands page for detail on optional arguments that can be used with dx login.
Logging Out via the Command-Line Interface
When using the CLI, log out by entering the command dx logout.
If you use a token to log in, logging out invalidates that token. To log in again, you must generate a new token.
See the Index of dx Commands page for detail on optional arguments that can be used with dx logout.
Auto Logout
Session inactivity
By default, the system logs out users after 15 minutes of inactivity. Exceptions apply to users logged in with an API token that specifies a different session duration, or users in an org with a custom autoLogoutAfter policy.
Contact DNAnexus Support for more information on setting a custom autoLogoutAfter policy for an org.
Credentials change
The system automatically logs out users when they change their account credentials. This happens immediately after the credentials change is complete. Exceptions apply to users logged in with an API token.
The following actions are considered credentials changes:
Change a password
Reset a password
Confirm a new email address after updating account email
Enable or disable multi-factor authentication (MFA)
By default, changing your credentials does not automatically terminate any running jobs or active downloads and uploads that are authenticated on your behalf. When you change your credentials, you can choose Revoke Active Tokens to terminate these running jobs and active transfers. See details on revoking API tokens.
If you suspect your account may be compromised, we strongly recommend that you:
Opt-in to terminate any active jobs authenticated on your behalf.
Rotate your API tokens after changing credentials. That is, delete your existing API tokens and create new ones.
Using Tokens
You can log in via the CLI, and stay logged in for a fixed length of time, by using an API token, also called an authentication token.
Exercise caution when sharing DNAnexus Platform tokens. Anyone with a token can access the Platform and impersonate you as a user. They gain your access level to any projects accessible by the token, enabling them to run jobs and potentially incur charges to your account.
Generating a Token
To generate a token, open your account menu and select My Profile.
Next, click on the API Tokens tab. Then click the New Token button:
The New Token form opens in a modal window:
Consider the following points when filling out the form:
The token provides access to each project at the level at which you have access. See the Projects page for more on project access levels.
If the token provides access to a project within which you have PHI data access, it enables access to that PHI data.
Tokens without a specified expiration date expire in one month.
After completing the form, click Generate Token. The system generates a 32-character token and displays it with a confirmation message.
Copy your token immediately. The token is inaccessible after dismissing the confirmation message or navigating away from the API Tokens screen.
Using a Token to Log In
To log in with a token via the CLI, enter the command dx login --token, followed by a valid 32-character token.
Token Use Cases
Tokens are useful in multiple scenarios, such as:
Logging in via the CLI with single sign-on enabled - If your organization uses single sign-on, logging in via the CLI might require a token instead of a username and password.
Logging in via a script - Scripts can use tokens to authenticate with the Platform.
When incorporating a token into a script, take care to set the token's expiration date such that the script has Platform access for only as long as necessary. Ensure as well that the script only has access to that project or those projects to which it must have access, to function properly.
Revoking a Token
When you revoke API tokens, all running jobs and all active file uploads or downloads authenticated with those tokens are terminated immediately and fail with the error AuthError. Any compute or egress charges incurred up to the point of termination remain billable to the account associated with those operations.
To revoke a token, navigate to the API Tokens screen within your profile on the UI. Select the token you want to revoke, then click the Revoke button:
In the Revoke Tokens Confirmation modal window, click the Yes, revoke it button. The token is revoked, and its name no longer appears in the list of tokens on the API Tokens screen.
When to Revoke a Token
Token shared too widely - Revoke a token if someone with whom you've shared the token should no longer be able to use it, or if you're not certain who has access to it.
Token no longer needed - Revoke a token if a script that uses it is no longer in use, or if a group that had been using it no longer needs access to the Platform, or in any other situation in which the token is no longer necessary.
Logging In Non-Interactively
Though logging in typically requires direct interaction with the Platform through the UI or CLI, non-interactive login is also possible. Scripts commonly automate both login and project selection.
Non-interactive login uses dx login with the --token argument. The dx select command automates project selection. For manual project selection, add the --noprojects argument to dx login.
Two-Factor Authentication
DNAnexus recommends adding two-factor authentication to your account, to provide an extra means of ensuring the security of all data to which you have access, on the Platform.
With two-factor authentication enabled, you must enter a two-factor authentication code to log into the Platform and access certain other services. This code is a time-based one-time password valid for a single session, generated by a third-party two-factor authenticator application, such as Google Authenticator.
Two-factor authentication protects your account by requiring both your credentials and an authentication code. This prevents unauthorized access even if your username and password are compromised.
Enabling Two-Factor Authentication
DNAnexus recommends using a time-based one-time password (TOTP)–compliant authenticator application on your mobile device. Popular options include Google Authenticator, Authy, Microsoft Authenticator, and 1Password. Google Authenticator is a free application that's available for both Apple iOS and Android mobile devices. Get it on Google Play or from the Apple App Store.
If you are unable to use a smartphone application, compatible two-factor authenticator applications that use the TOTP (time-based one-time password) algorithm exist for other platforms.
From your account menu, select Account Security.
In the Two-Factor Authentication section, click Enable 2FA.
Choose a TOTP-compatible authenticator application and click Next.
Enter your current Platform password and click Next.
Scan the provided QR code with your authenticator app. If you cannot scan it, enter the displayed text code manually into your app instead.
Enter the 6-digit code generated by your app and click Next.
Click Print or Download to save your one-time-use backup codes in a secure location.
Click Finish & Log Out to complete setup.
Save your backup codes before closing the setup dialog — they will not be accessible again after you close it. Store them in a secure location. Without backup codes and without access to your authenticator application, Platform login becomes impossible.
Contact DNAnexus Support if you lose both your codes and access to your authenticator application.
Logging In with a Backup Code
If you lose access to your authenticator application, you can use a saved backup code to log in.
Navigate to the Platform login page and enter your username and password.
When prompted for your two-factor authentication code, enter one of your saved backup codes instead.
Each backup code can only be used once. Keep track of which codes you have used and store remaining codes securely.
If you lose access to both your authenticator application and your backup codes, you will not be able to log in to the Platform. Contact DNAnexus Support for assistance.
Disabling Two-Factor Authentication
DNAnexus recommends keeping two-factor authentication enabled after activation. You can disable it manually, provided it has not been strictly enforced by your organization admin.
Turning off two-factor authentication logs you out of all active web sessions immediately and is treated as a credentials change. If you re-enable 2FA later, you will need to reconfigure your authenticator application by scanning a new QR code or entering a new secret key, and saving a new set of backup codes.
From your account menu, select Account Security.
In the Two-Factor Authentication section, click Turn Off.
In the confirmation dialog, enter your current password and either the 6-digit code from your authenticator app or a backup code.
(Optional) Check Revoke Active Tokens to immediately terminate all running jobs and active file uploads and downloads.
Click Turn Off.
If you used a backup code to log in to the Platform, you need a second backup code to confirm disabling 2FA in step 3, because each backup code can only be used once.
Troubleshooting Two-Factor Authentication
Code validation failures are most commonly caused by a time-desynchronization issue on your mobile device. This can occur in two ways:
Code invalid during setup — The Platform reports an invalid code immediately after scanning the QR code during initial 2FA setup.
Codes stopped working — You previously set up 2FA successfully, but newly generated codes are no longer accepted at login.
To resolve either issue, enable Automatic Date and Time in your device's system settings and restart your phone. This synchronizes your device clock with the server time required for the TOTP algorithm to generate valid codes.
Last updated
Was this helpful?