# First login

When the first administrator opens the vault, the app walks you through a short sequence: sign in with your corporate identity, enroll a passkey on this device, and complete a three-step onboarding card. Everything that follows in the vault, from editing policy to creating keys, depends on the passkey you enroll here.

## Sign in with SSO

![The Sodot Crypto Vault login screen: the wordmark and an isometric illustration on the left, a "Sign in with Google" button on the right.](/img/guide/getting-started/login.png)
*The login screen. Which provider buttons appear depends on your deployment; this vault is configured for Google. There is no separate vault password.*

1. Open your vault URL in a browser.
2. Click **Sign in with Google**.
3. Complete authentication in your identity provider (Google Workspace). The vault accepts whoever your IdP confirms as you; no separate vault password exists.
4. The vault exchanges the OAuth code for a session token and redirects you to the **Offchain Keys** page.

:::tip
Bookmark your vault URL after this first login. Token refresh happens silently on subsequent visits, so you do not need to click the provider button each time.
:::

## Enroll a passkey

If you have no passkey enrolled yet, the vault immediately shows a full-screen enrollment modal. You cannot dismiss it or navigate away; a passkey is required before any other action.

![The full-screen "Add Passkey" enrollment modal with a device-name field and a "Create Passkey" button, shown over the Offchain Keys page.](/img/guide/getting-started/passkey-enrollment.png)
*Passkey enrollment is mandatory on first login — there is no close or cancel button. Name the device, then approve the platform-authenticator gesture.*

1. Enter a name for this device (for example, "MacBook Pro" or "Office workstation"). The name appears in your passkeys list so you can identify devices later.
2. Click **Create passkey**.
3. Your browser invokes the platform authenticator. Depending on your device and OS, you will see Face ID, Touch ID, Windows Hello, or a PIN prompt.
4. Approve the gesture. The passkey is created and stored on this device (or in your password manager if one is configured to handle passkeys).

**Why a passkey is required:** every state-changing operation in the vault, including policy edits, key imports, and user management, requires a passkey signature from the acting user. The vault does not rely solely on your SSO session for sensitive actions; the passkey proves physical presence and is phishing-resistant.

:::tip
Add a second passkey from the [Passkeys and account security](/guide/users-groups/passkeys-account-security) page as soon as the onboarding flow is complete. If you lose access to your only passkey device, another administrator must initiate a passkey reset on your behalf.
:::

## Complete the onboarding card

After passkey enrollment, an onboarding card appears in the bottom-right corner of the screen on the **Admin Policy** and **Users & Groups** pages. The card tracks three setup steps with a progress bar.

The three steps are:

1. **Configure Admin Policy** - grants specific groups the ability to perform administrative actions. Until at least one group has a rule, most operations remain denied.
2. **Create First Group** - creates the initial group that Admin Policy rules will reference.
3. **Add First User** - adds the first non-bootstrap user to the vault.

Each step links directly to the relevant page. The card marks a step complete as soon as the underlying state exists (for example, any group other than the bootstrap group counts as "Create First Group" done). Once all three steps are complete, the card shows a "You're all set!" message and a **Done** button that dismisses it permanently.

![The onboarding card in its completed state: 100% progress, all three steps marked Completed, and a "You're all set!" message with a Done button.](/img/guide/getting-started/onboarding-card-complete.png)
*Once all three steps exist, the card reads "You're all set!". Click Done to dismiss it permanently. (Shown here on the Admin Policy page.)*

## Where to go next

After dismissing the onboarding card:

* [Understanding Administrative Policy](/guide/admin-policy/understanding) - learn how deny-by-default works before you change anything.
* [Configure your admin policy](/guide/admin-policy/configure) - assign actions to groups and activate the policy.
* [Groups](/guide/users-groups/groups) - create the groups that policies reference.
* [Human users](/guide/users-groups/human-users) - invite the rest of your team.
