NOS Security Improvements FAQ

Updated: November 4, 2022

Nuxeo Online Services is being improved to enhance security. This page details what will happen, when, how you could be impacted and how to prepare for the change.

Authenticating Against Nuxeo Online Services

From your Browser - What Changes?

  • To access Nuxeo Online Services, you need to enter your email address instead of your username in the login page. If you registered for a trial using Google, use the login with Google button.



From the Command Line - What Changes?

To use our APIs, for instance in the following cases:

When authenticating, you need to provide your username (unchanged), and a token instead of a password (new). Refer to our token management documentation for further details.

Multi-Factor Authentication

Multi-factor authentication (MFA) is needed to authenticate.

If you have not set up your MFA yet, you will be able to set it up while logging in. This second factor will be requested once a week to authenticate.


When you log into Nuxeo Online Services using the browser, a second authentication factor will be requested to enhance your account security.

These factors can be one of the following:

  • Code provided by a smartphone application (most secure)
  • Voice call to a phone number
  • SMS sent to a phone number (less secure)


MFA is used only in the browser. It is not needed when using command line tools to automate tasks.

Multi-Factor Authentication FAQ

Who is Impacted by the Change?

This change only applies to people using Nuxeo Studio and Nuxeo Marketplace (called developers from here on). It won't have any effect on people working every day in your Nuxeo Server instance, even if this instance is hosted in Nuxeo Cloud.

Can you Provide a Summary of the Change?

When authenticating into Nuxeo Studio or Nuxeo Marketplace, developers are requested to set up a second authentication factor using their phone.

The second factor setup is requested if it is not done yet, then it is asked once a week during authentication.

General FAQ

What is a Token?

A token is a randomly generated string that can be used as a replacement for your password when authenticating to our services. It is meant to be used as a replacement for your password in all places where you would need to write down your password, but would rather avoid to disclose it: for instance in configuration files.

Feel free to check our token management documentation for further details.

Do I Need a Particular Hotfix for These Changes?

No hotfix is required.
Latest hotfixes and tool versions only pack additional help to mention tokens instead of passwords when needed, starting from the following versions:

  • 8.10-HF47
  • 9.10-HF39
  • 10.10-HF19

These changes are only visual to clarify how our new authentication system works and have no functional impact.

I'm Using an Unsupported Nuxeo Server Version. Should I Be Concerned?

The same applies for formerly supported releases: no need for code change. Authentication against Nuxeo Online Services when using our command line tools and APIs will have to be done using tokens instead of passwords.

Why Make These Changes?

Nuxeo is partnering with Okta, an industry leader around authentication security to bring these changes. They are made as part of our continuous effort to improve security and bring several benefits:

  • Storage decoupling: Your password will be stored by our partner Okta. This ensures it benefits from even better protection.
  • Stronger authentication system: Partnering with Okta allows us to provide new features to secure your account, like multi-factor authentication.
  • Single Sign-On: Signing into Your Nuxeo Online Services account will allow you to access our different services seamlessly, without being prompted for credentials again.

We'd love to hear your thoughts!

All fields required