#Signing In to the AiDial Portal

#Overview

The AiDial portal redirects you to the hosted identity provider for password entry, MFA challenge, and recovery-code entry. Your password and MFA codes are not handled directly by the portal.

After the identity provider returns you to the portal, AiDial resolves your role, tenant status, client, and project scope from the DB-backed session context returned by aidial_api before normal access is granted.

#How to Sign In

1. Navigate to the portal — Open your browser and go to the AiDial portal URL provided by your organisation.
2. Enter your email and continue — The portal validates the email format and sends it to the identity provider as a login hint.
3. Enter your credentials — Use the password and any provider-hosted recovery options associated with your AiDial account.
4. Complete multi-factor authentication — If your role requires MFA (see Multi-Factor Authentication), the current session must be enrolled and the MFA challenge must be satisfied before normal portal access is granted.
5. Finish first-time MFA setup if needed — On a first login for a mandatory-MFA role, the portal routes customer and partner users into Settings, and internal AiDial administrator/operator users into Profile, so you can launch the hosted MFA setup flow. There is no general dashboard grace period before MFA is complete.
6. You're signed in — After successful authentication, role/tenant bootstrap, and any required MFA setup, you will be redirected back to the portal dashboard or the page you originally requested.

Your session is maintained securely. You do not need to sign in again until your session expires or you sign out. See Session Security for details on session expiry and management.

#Lost Authenticator Access

If you lose access to your authenticator app, stay on the provider-hosted sign-in flow and use a provider-issued recovery code when the option is available. Recovery-code entry is handled by the identity provider, not by the portal.

If you do not have recovery codes, contact your organisation administrator first. If an administrator cannot help, contact AiDial support at help@aidial.com.au. AiDial Portal cannot bypass MFA, reveal one-time codes, or reset an authenticator from an unauthenticated browser session.

#How Sign-In Is Protected

Browser users sign in through the AiDial portal and should not send X-API-Key. API keys are for trusted direct server-side integrations.

The portal uses a Next.js App Router BFF model: the browser calls portal pages and app/api/ route handlers, and the portal server calls aidial_api with the bearer token from the signed NextAuth session. Shared API transport under lib/aidial-api/ strips inbound X-API-Key headers and injects the server-side bearer token.

Middleware covers non-API page routes. API route handlers under app/api/** enforce their own authentication, role checks, CSRF protection where applicable, and tenant/project scoping.

Portal pages and actions check authentication, role permissions, and tenant/project scope. Navigation visibility is only a convenience and is not a security boundary. Out-of-role or out-of-scope routes are denied without revealing whether another tenant's resource exists.

#Required Runtime Configuration

The sign-in path requires these runtime variables. They are required configuration values; the current code does not define fallback defaults for them:

• NEXTAUTH_SECRET
• NEXTAUTH_URL
• AIDIAL_API_BASE_URL
• AIDIAL_API_TIMEOUT_MS
• ZITADEL_ISSUER
• ZITADEL_CLIENT_ID
• ZITADEL_CLIENT_SECRET

#What You Can Access After Signing In

The portal sections available to you depend on your assigned role. See Roles & Permissions for a complete breakdown of what each role can access.

At a glance:

• Dashboard, Calls, Support, and Settings — Available to client and partner portal roles, with tenant/project scoping enforced server-side.
• Status — Available to client, partner, and internal AiDial roles.
• Billing — Available to client_admin, client_manager, and partner_admin only.
• Compliance — Available to client_admin and client_manager, with administrator-only compliance subpages limited to client_admin.
• Audit Log — Available to client_admin, client_manager, partner_admin, partner_user, aidial_admin, and aidial_operator.
• Partner workspace — Clients, Projects, Outbound Campaigns, and Partner Team are available to partner_admin and partner_user.
• Integrations and Capacity — Available to partner roles and internal AiDial roles where the route or panel permits that role.
• Team — Available to client_admin and visible in read-only mode to client_manager.
• Internal admin — aidial_admin and aidial_operator are redirected away from normal customer/partner portal routes and land in the internal admin surface, starting at the admin home (/admin). Current internal surfaces include Tenants, Users, Incidents, Discounts, Adjustments, Capacity, Integrations, Audit Log, Status, and Profile/remediation pages.

Some actions inside a section may also be limited by role, assigned scope, or route-specific checks. See Roles & Permissions for details.

#Common Access Issues

If you are unable to access the portal or see an "Access Denied" page, here are the most common reasons:

#Wrong Role

Your account role does not have permission to access the page you requested. For recognised roles that are out of scope for a route, the portal displays a generic "not found" page to protect the privacy of other areas. If the portal cannot recognise your role at all, it shows an access-denied state. Contact your organisation's administrator or AiDial support to verify your role assignment.

#Tenant Suspended

Your organisation's account has been suspended or is otherwise not active. Portal access is only available for active tenant accounts. Contact your AiDial account manager or AiDial support for assistance.

#MFA Required

Your role requires multi-factor authentication, but you have not yet enrolled or completed the current MFA challenge. Customer and partner users are directed to Settings, and internal AiDial administrator/operator users are directed to Profile, to launch MFA setup or refresh security status before accessing protected pages. See Multi-Factor Authentication for enrolment steps.

MFA is mandatory for partner_admin, aidial_admin, and aidial_operator. It is optional but recommended for client_admin, client_manager, client_staff, and partner_user.

#Session Validation Unavailable

If the portal cannot resolve your session context during sign-in, it shows an access-denied state for session validation. Try signing in again shortly. If the issue persists, contact AiDial support.

#Unable to Sign In

If you cannot sign in at all:

• Forgotten password — Use the password reset option on the hosted identity provider page if it is available, or contact your administrator.
• Lost authenticator access — Use a provider-issued recovery code on the hosted identity provider page. If you no longer have recovery codes, contact your organisation administrator or help@aidial.com.au.
• Account locked — After too many failed sign-in attempts, your account may be temporarily locked by the identity provider. Wait a few minutes and try again, or contact your administrator.
• Identity provider unavailable — In rare cases, the authentication service may be temporarily unavailable. Try again shortly. If the issue persists, contact AiDial support.
• Stale browser session — If an old session cookie is no longer valid, the portal should show the sign-in form again. Signing in again refreshes the session.

#Next Steps

• Understand your role and permissions
• Set up multi-factor authentication
• Learn about session security