# How sign-in is secured Foxora's desktop sign-in is gold-standard native OAuth: PKCE end to end, with tokens that never ride inside a link. Here's what that protects you from, and how your session stays fresh without ever interrupting a long agent run. ## PKCE, end to end When you sign in with Google or GitHub on the desktop, Foxora uses PKCE (Proof Key for Code Exchange). The app generates a one-time secret, opens your real system browser to authorize, and only a short-lived code comes back — which the app then exchanges for a session using that secret. An intercepted code is useless to anyone without it. ## Tokens never travel in a link The redirect that returns from your browser — whether to the app’s one-time loopback listener on 127.0.0.1 or via the foxora:// deep link — carries only the PKCE code, never an access token. Your session is never embedded in a URL that could be logged, cached, or shoulder-surfed. > The same promise on password resetA reset link works the same way: it opens a secure page where you set a new password, but the link itself never carries your session. See signing in for the full flow. ## Automatic refresh Once you’re in, Foxora keeps your session alive in the background so a long agent run never dies on an expired token. It force-refreshes the access token before it’s near expiry on two triggers: - On focus — whenever the window regains focus, the session is re-synced. - On a keep-alive timer — a short recurring tick refreshes the token before it can lapse mid-task. ## Device token mirroring Your agents run through a local runtime that talks to the model gateway on your behalf. For that, Foxora mirrors your access token to the local daemon as its gateway credential — and re-mirrors a fresh one every time the token refreshes, so the daemon never holds a stale token that would fail every gateway call. - The mirrored token stays on your device — it’s the local runtime’s key to the gateway. - Each machine and CLI you authorize gets its own mirrored token, refreshed automatically. - Signing out clears the local session and the mirrored token. > Lost a device?Because each device holds its own token, you can revoke any one of them. Sign out on the device if you have it, or remove it from the web dashboard — see signing in and the Settings reference. The principle running through all of this: your credentials stay on your machine, and nothing sensitive is ever passed around in a link.