# Signing in

Sign in with email and password, or with Google or GitHub. On the desktop, OAuth is PKCE-native: the app opens your real browser, you authorize there, and the session is handed back securely — no tokens are ever passed inside a URL.

## Sign in with email

- 01Enter your credentialsOn the sign-in screen, type your email and password and click Sign in. If your credentials are wrong, a red callout appears at the top of the card explaining what failed.Sign inEmail + password sign-in on the desktop app.

## Sign in with Google or GitHub

Click Continue with Google or Continue with GitHub. Here’s what happens under the hood:

- 01The app arms a secure listenerFoxora opens a one-time loopback listener on a random local port (and registers the foxora:// deep link as a fallback for a cold start).
- 02Your browser opens to authorizeThe app launches your system browser at the provider’s consent screen. The desktop window shows “Finish signing in in your browser — this window will continue automatically.”Authorizing…The app waits while you authorize in the browser.
- 03The session is handed backAfter you approve, the provider redirects a short-lived code to the loopback listener (or via foxora://), the app exchanges it using PKCE, and you land in the app signed in.

> Stays signed inFoxora keeps your session fresh in the background — it refreshes your token on focus and on a short keep-alive timer so a long agent run never gets interrupted by an expired session.

## Sign out

Open Settings (⌘, / Ctrl+,) → Account and click Sign out. This clears the local session and revokes the token mirrored to the local runtime. See Account & devices to manage every place you’re signed in.