Default visibility
New accounts default to private sessions, so only you can see them. You can change this any time on your settings page, or share an individual session from the session detail page. Once youโve set your visibility to Repository, newly created sessions are shared with other members of your GitHub organization when they occurred within a repository associated with your organization that you have write access to. Changing this setting does not retroactively update existing sessions. For example:| Detected origin | Effect |
|---|---|
| github.com/wandb/hivemind | Shared with members of the wandb GitHub org that have write access to wandb/hivemind |
| github.com/vanpelt/dotfiles | Only visible to you |
| none | Only visible to you |
Repository visibility gating
When sessions are shared with your organization, each member only sees sessions for repositories their GitHub account has write access to. You always see your own sessions regardless. Write access is verified through the HiveMind GitHub App, which must be installed on at least one of your linked GitHub organizations.Workspaces
Every session belongs to one workspace. Workspaces are tied to your GitHub org membership:- Organization workspaces are GitHub organizations with the HiveMind GitHub App installed.
- Personal workspaces get created automatically for sessions that donโt match any registered org.
Device-local configuration
To make all coding sessions go to your personal workspace instead of using the git repository to determine visibility, run the following:This setting only applies to the machine you ran the command on. There is also a global configuration setting you can configure on your settings page to default to private sessions globally.
| Setting | Effect |
|---|---|
sessions.private = false | Sessions in org GitHub repos visible to your org (default) |
sessions.private = true | All sessions visible only to you |
Per-repo overrides
Sometimes the global setting isnโt granular enough. You might want most sessions private, but still share work on your teamโs main repo. Or you might keep things open by default, but lock down a sensitive project. Thatโs whatorg_repos and private_repos are for.
Always share a repo (allowlist)
Repos inorg_repos are visible to your org even when sessions.private is true:
Always hide a repo (denylist)
Repos inprivate_repos are private no matter what. This wins over everything else:
org/repo or host/org/repo.
Example config
Global configuration
If you want all sessions to default to being private and associated with your personal workspace, you can change the global default settings from your settings page.How the rules stack up
When HiveMind decides whether a session is visible:private_repos: if the repo is here, itโs private. Full stop.org_repos: if the repo is here, itโs shared with members of the org who have write access to the repo.sessions.private: the fallback for a device, defaults to false.- Global setting: if a repo was not made public via
org_reposand the global setting is private, itโs private.
Single sign-on (SSO)
Organization admins can require members to authenticate through their companyโs identity provider (IdP) instead of relying on GitHub credentials alone. This is configured from the Admin > Authentication page.How it works
HiveMind supports OpenID Connect (OIDC), which is compatible with most identity providers (Okta, Azure AD, Google Workspace, and others). An admin registers their IdPโs issuer URL and client ID in the admin panel. Once configured, the admin can optionally enforce SSO so that all members must sign in through the IdP to access organization data. HiveMind uses PKCE (Proof Key for Code Exchange) for the OAuth flow, so a client secret is only needed if your IdP doesnโt support public clients. When provisioning HiveMind as a service provider, choose โNative Appโ if your IdP asks.What members see
When SSO enforcement is turned on, members who havenโt authenticated via the IdP see a prompt to log in through SSO before they can view any organization sessions. Members can still access their personal workspace without SSO.SCIM provisioning
If your organization uses SCIM, HiveMind can automatically sync your IdPโs user directory. Members removed from the IdP lose access to the organization workspace. SCIM is configured from the Admin > SCIM page.Authentication
HiveMind attempts to authenticate automatically using your GitHub identity. The daemon tries these methods in order, picking the first one that works:- SSH signature: signs a challenge with your SSH key (silent, most common).
- GitHub credential helper: pulls a token from your git credential manager (silent).
- GitHub CLI: uses your
gh authtoken (silent). - Browser OAuth: opens your default browser to log in via GitHub or your orgโs SSO (interactive, used when no silent credential is available).
- Device OAuth: prints a code to enter at GitHub or your orgโs SSO identity provider, for headless machines without a usable browser.
Workload identity federation
For CI runners and other ephemeral environments, the daemon can exchange a short-lived OIDC ID token from a trusted provider for a HiveMind token at runtime, so thereโs no static secret to manage:- GitHub Actions: the daemon presents the workflowโs OIDC token. The HiveMind app verifies the repo, ref, and workflow claims and mints a daemon token.
- Modal: Modal-issued OIDC tokens are exchanged the same way, attributing sessions to a configured service account.
- Generic OIDC: any IdP that can produce a project-scoped ID token (Kubernetes projected service-account tokens, custom OIDC providers) can be wired up by pointing
HIVEMIND_OIDC_TOKEN_FILEat a file the IdP keeps refreshed.
Personal access tokens
Where federation isnโt available (one-off scripts, third-party CI you donโt fully control), mint a token under Settings > Personal Access Tokens and export it asHIVEMIND_TOKEN. Org admins can disable PATs or restrict them to write scope from the admin panel.
Scopes
Every HiveMind token carries ascopes claim (read, write, or both) that controls what API calls it can make. Write lets the daemon upload sessions and emit telemetry. Read lets you view other usersโ sessions in the dashboard and CLI.
| Login method | Default scope |
|---|---|
| Browser OAuth (GitHub or SSO) | read + write |
| Device OAuth | read + write |
| Personal access token | Chosen at creation, subject to admin policy |
| Service account / federated OIDC | Whatever the service account was created with |
| SSH signature, credential helper, gh CLI | write only when your org enforces SSO |
hivemind login --method sso_browser).