--- title: Logging in description: How to get through the Cloudflare Access front door at ops.useargus.co with Google sign-in or a one-time PIN, who is allowed in, and how to troubleshoot. --- # Logging in **Goal:** sign in to the Operations Console at `ops.useargus.co`. The console sits behind Cloudflare Access. Every request is intercepted before it reaches the application, so the first thing you see is a branded sign-in page ("Log in to Operations Console", with the header "Authorized operators only. Sign in with your RION or Argus account."). The operator-facing team domain is `argus-ops.cloudflareaccess.com`. ## Prerequisites * An email address covered by the operator allowlist. The allow policy admits emails ending in `rionsolution.com` or `useargus.co`. If your address is on another domain, an admin must add you (see below). * For Google sign-in: a Google Workspace account in the `useargus.co` organization. ## Steps 1. Open `https://ops.useargus.co/` in your browser. 2. Cloudflare Access intercepts and renders the sign-in page. You have two options: * **Sign in with Google** (recommended). Click the Google Workspace button and complete the Google sign-in. This is single sign-on backed by the company Google Workspace. * **One-time PIN** (fallback). Enter your email address; Cloudflare emails you a 6-digit one-time code. Enter the code on the page. 3. On success, Cloudflare sets a session cookie (a `CF_Authorization` JWT, 24 hours by default). Subsequent requests pass straight through to the console until the cookie expires. 4. The console loads. Continue with [Console basics](/docs/getting-started/console-basics) to set up your operator token. ## Verify * You land on the console UI (not the sign-in page) and the navigation rail renders. * Reloading the page within the session window does not re-prompt for login. * To re-test the gate itself, open `https://ops.useargus.co/` in a fresh private/incognito window: the Cloudflare Access sign-in page should appear. ## Who is allowed in Access is controlled by a single allow policy on the Cloudflare Access application: an operator allowlist that admits email addresses ending in `rionsolution.com` or `useargus.co`. Both identity providers (Google and one-time PIN) are accepted; whichever you use, the resulting identity must match the allowlist. To add a new operator, an admin edits the policy in the Cloudflare Zero Trust dashboard (Access controls, then Applications, then the Operations Console app, then Policies). It is dashboard work only; no code change is required. ## Troubleshooting **Google signed you in as a different address than you expected.** Google returns your Workspace *primary* identity as the email claim. The company Workspace primary domain is `useargus.co`, so even if you normally use a `@rionsolution.com` address, Google sign-in can resolve you to `@useargus.co`. Both domains are on the allowlist, so this is harmless, but it explains why the console may show a different email than the one you typed. If the Google account picker offers multiple accounts, pick the company Workspace account, not a personal one; a personal account's email will not match the allowlist and Access will deny it. **The one-time PIN email did not arrive.** The PIN is sent by Cloudflare to the exact address you entered. Confirm the address is on an allowlisted domain and re-request the code. **You were signed in but the console asks for a token.** That is expected. Cloudflare Access is the perimeter; the console itself authenticates API calls with a Personal Access Token (PAT). See [Console basics](/docs/getting-started/console-basics). **Signing out.** The console's sign-out clears your local operator token only. The Cloudflare Access perimeter session is separate; a Cloudflare logout link is offered alongside the sign-out action. --- For a semantic overview of all documentation, see [/sitemap.md](/sitemap.md) For an index of all available documentation, see [/llms.txt](/llms.txt) For agent-facing discovery, including API and MCP surfaces, see [/agents.md](/agents.md)