Authentik (Single Sign-On)
Website: https://auth.deepinthesand.com
What it does
Authentik is an open-source Identity Provider. It lets you use one username and password (plus 2FA) to log in to almost every service on Deep in the Sand. When a service shows a "Sign in with Authentik" button, click it — if you're already signed in, you'll be let straight through.
Replaces
Okta, Auth0, Microsoft Entra ID (Azure AD), Google Workspace SSO.
First login
- Go to https://auth.deepinthesand.com.
- Enter the username and password Ammo gave you.
- Consider changing your password. See below for steps.
- Setup 2 Factor Authentication - this is really important for security and making sure only you can login. See below for steps.
Changing your password
- Sign in at https://auth.deepinthesand.com.
- Click on the gear icon (top-right) → Settings.
- Click User details, Change password, enter your new password twice and save.
Setting up 2FA (TOTP) — do this immediately
TOTP = time-based one-time passwords, the 6-digit codes that refresh every 30 seconds.
Recommended authenticator apps (FOSS-friendly):
- Android: Aegis Authenticator — encrypted vault with encrypted backups. Install from F-Droid or Google Play.
- iOS: Raivo OTP or Tofu Authenticator. (Aegis is Android-only.)
- Desktop (optional, as a backup): KeePassXC can store TOTP codes alongside your passwords.
Save your recovery / backup codes
When you enable TOTP, you'll be shown one-time recovery codes. Save them somewhere safe — a printed copy in a drawer, or a Secure Note in your Vaultwarden vault. If you lose your phone and don't have these, you will be locked out and Ammo will need to manually reset your 2FA.
Steps:
- In Authentik, click your name → User settings → MFA Authenticators.
- Click Enroll → TOTP Device.
- Open Aegis/Raivo, tap +, choose Scan QR code, scan the QR shown by Authentik.
- Enter the 6-digit code to confirm.
- Save your recovery codes in Vaultwarden under a Secure Note.
Problem with this service? Message Ammo or email admin(Q)deepinthesand(P)com.