First Login
Ema uses an email-first sign-in. You always start by entering your email address; Ema then routes you to the method your administrator configured for your tenant — single sign-on (SSO), a one-time passcode (OTP) sent to your email, or a password. Some tenants also require a second factor (two-factor authentication, or 2FA) after the first step.
Your administrator decides the method. You don't pick how you sign in — your tenant's configuration does. Just enter your email and Ema sends you down the right path automatically. If your email isn't recognized, ask your administrator to invite you.
Authentication methods
| Method | What happens |
|---|---|
| SSO (OIDC or SAML) | Ema hands you off to your organization's identity provider (for example, Okta or Microsoft Entra ID). You authenticate there and are redirected back to Ema. |
| One-time passcode (OTP) | Ema emails you a 6-character code. You enter it on the verification screen. This is the default for tenants that don't use SSO or passwords. |
| Password | Available only when password sign-in is enabled for your tenant. You enter your password after your email. |
Step by step
1. Open the sign-in page
Go to your tenant's Ema URL in a current version of Chrome, Edge, Firefox, or Safari. You'll see the sign-in screen with a single email field.
2. Enter your email
Type the email address your administrator invited you with and select Continue. Ema resolves the right method for your account:
- SSO — Ema redirects you to your identity provider.
- Password — Ema shows a password field (only if password sign-in is enabled).
- OTP — Ema emails you a 6-character one-time passcode and shows the code-entry screen.
3. Complete the first step
If you're sent to SSO:
- Sign in with your identity provider as you normally would.
- Your provider redirects you back to Ema, which finalizes the session and lands you on the AI Employees page.
Ema supports both OIDC and SAML identity providers; the return trip is handled automatically by Ema's OIDC or SAML callback.
If you receive a one-time passcode:
- Check your email for a message from Ema containing a 6-character code.
- Enter the code on the verification screen. The screen shows a countdown until the code expires.
- Select Verify.
If the code doesn't arrive, check your spam folder, then select Request a new code. After too many requests or failed attempts in a short window, sign-in is temporarily locked and the screen shows a countdown until you can try again.
If you're shown a password field:
- Enter your password.
- Select Sign in.
4. Complete two-factor authentication (if required)
If your tenant requires 2FA, Ema adds a second step after you pass the first one. There are two cases.
You already have an authenticator enrolled. Ema shows the Two-factor authentication screen:
- Open your authenticator app and read the current 6-digit code.
- Enter the code and select Verify.
- If you've lost your device, select Use a backup code and enter one of the recovery codes you saved during setup.
You need to set up an authenticator (first-time enrollment). Ema takes you to the TOTP setup flow:
- Scan — Scan the QR code with an authenticator app (such as Google Authenticator, Microsoft Authenticator, or 1Password). If you can't scan, enter the manual setup key shown below the code. The setup session has a countdown; if it expires, return to sign-in and start again.
- Confirm — Enter the current 6-digit code from your app to confirm enrollment.
- Save your backup codes — Ema shows a set of one-time backup codes. Download or copy them and store them somewhere safe — each one lets you sign in once if you lose your authenticator. Confirm you've saved them, then continue.
After 2FA succeeds, Ema lands you on the AI Employees page.
Where you land
After a successful sign-in, you arrive at the AI Employees page — your home in the platform. From here you can:
- Browse and open AI Employees that have been shared with you.
- Search for an AI Employee by name.
- If you have a builder role, select Build an AI Employee to start creating. See Create Your First AI Employee.
Session and security defaults
Ema issues a short-lived access token plus a longer-lived refresh token when you sign in. The refresh token keeps your session alive in the background, so you usually stay signed in across page reloads without re-authenticating. These lifetimes are set by the auth service and can be tuned per deployment.
| Setting | Default | What it controls |
|---|---|---|
| Access-token lifetime | 15 minutes | How long a single access token is valid before it is silently refreshed in the background. By default, 15 minutes (configurable per deployment via EMU_ACCESS_TOKEN_TTL). |
| Refresh-token lifetime | 7 days | The maximum length of an idle session. After this, you sign in again. By default, 7 days (configurable per deployment via EMU_REFRESH_TOKEN_TTL). |
| Account-lockout window | 10 minutes | How long sign-in is temporarily locked after too many failed code entries or code requests. By default, 10 minutes (configurable per deployment via EMU_OTP_SOFT_LOCK_DURATION_MINUTES). |
The temporary lockout is triggered in two ways, both configurable per deployment:
- Too many failed code entries — by default, after 3 failed one-time-passcode or two-factor code entries (
EMU_OTP_MAX_FAILED_ATTEMPTS). - Too many code requests — by default, after 3 one-time-passcode requests within a 10-minute window (
EMU_OTP_MAX_REQUESTS_PER_WINDOWoverEMU_OTP_RATE_LIMIT_WINDOW_MINUTES).
When a lockout is in effect, the sign-in screen shows a countdown until you can try again. The one-time passcode itself also expires — by default, 10 minutes after it is sent (EMU_OTP_TTL_MINUTES) — which is the countdown shown on the code-entry screen.
These are defaults, not guarantees. Each value is an environment setting your administrator can change per deployment, so your tenant's lifetimes and lockout window may differ from the defaults above.
Troubleshooting
| Problem | What to do |
|---|---|
| Email isn't recognized | Your address hasn't been added to the tenant. Ask your administrator to invite you. |
| The one-time passcode never arrives | Check your spam folder. Wait for the resend cooldown, then select Request a new code. |
| "Sign-in is unavailable" | A transient error reaching the sign-in service. Refresh and try again; if it persists, contact your administrator. |
| Sign-in is temporarily locked | Too many attempts or code requests triggered a cooldown. Wait for the on-screen countdown to finish, then try again. |
| "Access denied" after SSO | Your identity provider didn't grant access to the Ema application. Contact your IT team to confirm Ema is assigned to your account. |
| Lost your authenticator | On the two-factor screen, select Use a backup code and enter one of the codes you saved at setup. Using a backup code resets enrollment, so you'll set up a new authenticator afterward. |
What's next
- Create Your First AI Employee — build, test, and publish an AI Employee end to end.
- AI Employee Types — decide which interaction type fits your use case.