Signing in

RebelCore™ is a web app — there’s nothing to install. The sign-in surface is the same for every user; what differs is whether the second factor is your authenticator app (portal users) or a six-digit code sent by email (agent-only users).

Where to go

URL	What it is
https://www.rebelcore.ai/login	Public sign-in form. Every user lands here.
https://{your-slug}.rebelcore.ai	Your customer’s portal subdomain — the workspace lives here once you’re signed in.
https://{your-slug}.agent.rebelcore.ai	Your customer’s RebelCore™ Agent subdomain. Agent-only users are routed here automatically after sign-in.

{your-slug} is the short name your customer was provisioned under — your administrator knows it. Once you’re signed in you’ll stay on your own subdomain unless you go back to www.

First-time sign-in (invite link)

Accounts are no longer handed out with a temporary password. When your administrator creates your account, RebelCore™ emails you an invite link:

1. Open the email titled “Set your password — RebelCore™”. The link is valid for 24 hours.
2. Click the link. You’ll land on a Set your password page.
3. Pick a password — at least 12 characters, with at least one letter and one digit. Confirm it.
4. Submit. The link is consumed at this point; if you re-open it, the page says “This invite link is no longer valid”.
5. You’re sent to the sign-in form to enter the email + password you just set.

Note

If the invite link expired before you used it, ask your administrator to click Resend invite on your user row — a fresh link will be in your inbox within seconds.

Two-factor authentication

Two-factor is mandatory for every account. The flow that runs depends on which surface you sign in to:

Surface	Second factor
RebelCore™ portal ({your-slug}.rebelcore.ai)	Authenticator app (TOTP) — Google Authenticator, 1Password, Microsoft Authenticator, Authy, etc.
RebelCore™ Agent ({your-slug}.agent.rebelcore.ai)	Email OTP — a six-digit code sent to your registered email.
CAS (cas.rebelcore.ai)	Authenticator app (TOTP).

Enrolling your authenticator on first portal sign-in

The first time you sign in to the portal, RebelCore™ shows a Set up two-factor authentication screen:

1. Scan the QR code with your authenticator app, or copy the manual-entry key into the app by hand.
2. Type the six-digit code your app shows into the Verify box.
3. Click Verify and continue.

You’ll then see your backup codes — a one-time list of recovery codes (each is single-use).

• Copy or download them. You won’t be shown them again.
• Each code can be used in place of an authenticator code if you lose your phone.
• Once a code is used it’s burnt — re-using it fails.

If you lose both your authenticator and your backup codes, your Customer Super Admin can reset 2FA for you from the user blade in the portal; you’ll be prompted to re-enrol on the next sign-in.

Signing in once enrolled

1. Enter email + password and submit.
2. The form switches to the six-digit prompt:
   • On the portal, type the code from your authenticator app — or switch to Use a backup code instead and paste one.
   • On the agent, RebelCore™ emails you a code; type that.
3. Click Verify and continue.

If the code envelope expires while you’re looking for your phone, the form bounces you back to the credentials step with “Your sign-in attempt expired. Please log in again.” Just sign in again — a fresh code is minted automatically.

Forgot your password

The form has a Forgot password? link on the credentials screen. Click it, enter your email, and submit:

• RebelCore™ always responds “If an account exists for that email, a reset link is on its way” — the response is the same whether the address matches or not, so the form can’t be used to enumerate accounts.
• If the address does match a real user, a reset email is sent within seconds. The link is valid for 60 minutes.
• Click the link, set a new password (same rules as the invite flow), then sign in normally.

Any outstanding reset links are burnt the moment you successfully complete one, so an attacker who snagged a previous reset email loses its value.

Account lockout

To slow down brute-force attempts, every account has a soft lockout:

• 5 consecutive failed attempts (wrong password or wrong second-factor code) trigger a 15-minute lockout.
• During the lockout the form shows “Your account is temporarily locked. Try again in N minutes.” — even a correct password is refused until the timer expires.
• A successful sign-in resets the counter.
• Lockouts are visible to your Customer Super Admin in the user blade — they can clear one manually if you need access urgently.

Signing out

Click your initials in the top-right corner and choose Sign out. You’ll be returned to the sign-in form. The session cookie is cleared on both the portal and the agent so the next visit starts cold.

Trouble signing in?

• “Invalid email or password” — re-check the email (case-insensitive) and password (case-sensitive). If you copy-pasted the password, watch for a trailing space.
• The form looks normal but my second-factor code keeps failing — check the clock on your phone is correct; authenticator codes are time-based and a phone drifted by more than ~30 s won’t verify. On the agent side, check your spam folder for the email-OTP.
• “Your invite/reset link is no longer valid” — links are single-use and time-limited. Ask your administrator to Resend invite (or request a fresh password reset).
• “Your account is temporarily locked” — wait 15 minutes, or ask your Customer Super Admin to clear the lockout.
• You don’t have an account yet — accounts are created by your administrator from the Users page. Reach out to whoever onboarded you and they’ll send you the invite.

What happens next

Once you sign in, you land in your workspace — the home screen for everything you can do. Continue to Your workspace for the tour.