Skip to main content
Configure authentication, authorization, encryption, API access control, and custom scripts for your Agent Platform account.
FeatureDescription
Authentication SettingsAuthenticate users through an external Identity Provider using SAML, WS-Federation, or OpenID Connect
Authorization ProfilesDefine how the Platform authenticates with external web services using OAuth and other token-based methods
Encryption Key ManagementConfigure platform-managed or bring-your-own-key (BYOK) encryption for account data
API ScopesCreate permission-limited API keys scoped to specific endpoints and integrations
Custom ScriptsImport, deploy, and manage custom scripts in isolated containers via API or tool flows

Authentication Settings

Authentication Settings lets administrators configure how users sign in to the Platform. You can enable Single Sign-On (SSO) to authenticate users through your organization’s identity provider, and Multi-Factor Authentication (MFA) to add a second layer of verification for email/password sign-ins.
Only account owners and admins can configure Authentication Settings.

How SSO and MFA Work Together

The Platform supports two authentication paths, and MFA scope adjusts automatically based on which path is active:
Authentication StateWho Signs In Via Email/PasswordMFA Managed By
SSO DisabledAll usersPlatform (applies organization-wide)
SSO EnabledSSO-excluded users onlyPlatform (applies to excluded users only); the Identity Provider (IdP) manages all other users’ MFA

Access Authentication Settings

  1. Log in to your account and click Settings on the top navigation bar.
  2. In the left menu, go to Security & Control > Authentication Settings.
The page is divided into two sections:
  • Single Sign-On (SSO) Configuration
  • Multi-Factor Authentication (MFA).

Single Sign-On (SSO)

SSO allows users to access their Platform accounts using credentials managed by an external IdP. Once authenticated with the IdP, users can access the Platform without a separate login. Key benefits:
  • Secure Access — Reduces password fatigue and the risk of phishing or weak passwords.
  • Simplified User Management — Centrally grant or revoke access across all users.
  • Improved User Experience — Eliminates repeated logins within the same session.
  • Centralized Access Control — Enforce and monitor security policies across all applications from one place.
Supported SSO Protocols and Providers
ProtocolProviders
SAML 2.0Okta, OneLogin, Other Provider
WS-FederationWindows Azure, Other Provider
OpenID Connect Google

How SSO Works

  1. User attempts to access their account.
  2. The Service Provider (SP) redirects the user to the IDP login page.
  3. User authenticates with the IDP.
  4. IDP issues an authentication token.
  5. SP validates the token and grants access.
  6. User accesses the account without re-authenticating for the rest of the session.

SSO Status

The SSO Status toggle at the top of the SSO Configuration section controls whether SSO is active for your organization.
Toggle StateBehavior
SSO Disabled (default)All users authenticate via email and password. The SSO Protocol, Identity Provider, and SSO-Excluded Users sections are hidden.
SSO EnabledUsers authenticate through the configured identity provider. The SSO Protocol, Identity Provider, and SSO-Excluded Users sections appear.

Enable SSO

  1. On the Single Sign-On page, click Enable SSO.
  2. Select a Sign-on protocol and SSO provider.
  3. Enter the configuration parameters for your selected protocol and provider (see Configuration Parameters).
  4. Add at least one SSO-excluded user (see SSO-Excluded Users).
  5. Select Save.

Disable SSO

Disabling SSO collapses the SSO Protocol, Identity Provider, and SSO-Excluded Users sections, and reverts all users to email/password authentication. The MFA section updates automatically to reflect organization-wide scope. Steps:
  1. Go to Security & Control > Authentication Settings.
  2. Under SSO Status, toggle off SSO Enabled (it will show SSO Disabled).
  3. In the confirmation dialog, select Yes to confirm.
Previously configured SSO parameters are retained and visible if you re-enable SSO.

SSO-Excluded Users

When SSO is enabled, all users must sign in through the configured IdP by default. Use this section to designate specific users who can bypass SSO and sign in via email/password instead — useful when the SSO provider is unavailable, misconfigured, or the certificate has expired.
The account owner is excluded by default. It is strongly recommended to exclude at least one additional admin user as a fallback.

Add an Excluded User

  1. Enter a valid email address in the Add User Email field.
  2. Click Add User. The user appears as a chip in the Excluded Users list.
  3. Click Save.
Sign-In Flow for Excluded Users Excluded users can sign in via email/password even when SSO is enabled. If MFA is configured, they are prompted to complete verification before access is granted.

Configuration Parameters

SAML
ProviderRequired Parameters
OktaOkta Single Sign-On URL — SSO endpoint for SP-initiated flow
Identity Provider Issuer — Entity URL that authenticates users
Certificate — Public certificate to validate user signatures (up to 2)
OneLoginSAML 2.0 Endpoint — SSO endpoint for SP-initiated flow
Issuer URL — Same role as Identity Provider Issuer (Okta)
X.509 Certificate — Same role as Certificate (Okta)
OtherSingle Sign-On URL — IDP SSO endpoint
Issuer URL — Same role as Identity Provider Issuer (Okta)
Certificate — Same role as Certificate (Okta)
WS-Federation
ProviderRequired Parameters
Windows AzureAzure AD Sign-On Endpoint URL — URL for sign-on/sign-off requests; responses go to the Reply URL in your Azure AD config
Azure AD Federation Metadata Document — URL for the federation metadata document
OtherAD Sign-On Endpoint URL — Same role as Azure AD Sign-On Endpoint URL
AD Federation Metadata Document URL — Same role as Azure AD Federation Metadata Document
OpenID Connect
ProviderRequired Parameters
GoogleNone — users authenticate with their existing Google credentials
When multiple certificates are added, the system uses the most recent valid one. If it’s invalid, it automatically falls back to other available certificates.

Multi-Factor Authentication (MFA)

MFA adds a second layer of verification during sign-in for users who authenticate via email/password. The Platform supports the following MFA methods: Email Verification, Authenticator App (TOTP), and SMS.

Enable MFA

  1. Go to Security & Control > Authentication Settings.
  2. Under MFA Status, toggle MFA Required.
  3. Under Allowed MFA Methods, select the methods to enable — Email Verification, Authenticator App, or SMS.
  4. Click Save.

Disable MFA

  1. Under MFA Status, toggle off MFA Required (it will show MFA Disabled).
  2. Click Save.

MFA for Users (First Login)

When MFA is enabled and a user signs in for the first time:
  1. The user enters their email address and password.
  2. The Platform prompts the user to set up an MFA method.
  3. On subsequent logins, the user is prompted to enter their MFA verification code.
  4. On successful verification, access is granted.

SSO Protocol Reference

SAML 2.0

Security Assertion Markup Language (SAML) is a protocol for web-based SSO that uses secure tokens instead of passwords. It allows IDPs and SPs to operate separately. When a user logs into a SAML-enabled app, the service provider requests authorization from the IDP, which authenticates the user and grants access to the application.

How SAML works

SAML SSO works by transferring the user’s identity from one place (the IDP) to another (the SP) through an exchange of digitally signed XML documents. When a user logs into a system that acts as an IDP and tries to access his Platform account, the following happens:
  1. The user accesses the remote app on the IDP portal using the sign-on endpoint URL, and the application loads.
  2. The application identifies the user’s origin (by application subdomain, user IP address, or similar) and redirects the user back to the IDP, asking for authentication. This is the authentication request.
  3. The user either has an existing active browser session with the IDP or establishes one by logging into the IDP.
  4. The IDP builds the authentication response in an XML document containing the user’s username or email address, signs it using an X.509 certificate, and posts this information to the SP.
  5. The SP, which already knows the IDP and has a certificate fingerprint, retrieves the authentication response and validates it using the certificate fingerprint.
  6. The user’s identity is established, and the user is provided with the Platform account access.

Okta

  1. Go to Single Sign-OnEnable SSO → select SAML and Okta.
  2. In the Okta Developer Portal, go to ApplicationsCreate App Integration → select SAML 2.0 → click Next.
  3. Enter an App Name under General Settings → click Next.
  4. Under Configure SAML, paste values from the Platform’s SSO page:
    • ACS URL for SP-initiated SAML flowSingle Sign-On URL
    • ACS URL for IDP-initiated SAML flowAudience URI (SP Entity ID)
  5. Click NextFinish.
  6. On the Sign On tab, click View Setup Instructions and copy:
    • Identity Provider Single Sign-On URL → paste into Okta Single Sign-On URL on the Platform
    • Identity Provider Issuer → paste into Identity Provider Issuer on the Platform
  7. Go to Sign OnSAML Signing Certificates → click Download certificate under Actions.
  8. Open the certificate in a text editor and copy the data between BEGIN CERTIFICATE and END CERTIFICATE.
  9. Paste the value into the Certificate field on the Platform’s SSO page. To add a second certificate, click + Add New.
  10. Click Save.

OneLogin

  1. Go to Single Sign-OnEnable SSO → select SAML and OneLogin.
  2. In the OneLogin Developer Portal, go to ApplicationsAdd Apps, search for your Platform app, and save it.
  3. From SSOEnable SAML 2.0, copy:
    • OneLogin SAML 2.0 Endpoint (HTTP) → paste into SAML 2.0 Endpoint on the Platform
    • OneLogin Issuer URL → paste into Issuer URL on the Platform
  4. Click View Details on the X.509 Certificate field → copy the certificate data (between BEGIN CERTIFICATE and END CERTIFICATE).
  5. Paste into the X.509 Certificate field on the Platform’s SSO page. To add more, click + Add New.
  6. Copy ACS URL for SP-initiated SAML flow and ACS URL for IDP-initiated SAML flow from the Platform and paste them into the corresponding fields in OneLogin.
  7. Click Save in both the Platform and OneLogin.

Other SAML Providers

  1. Go to Single Sign-OnEnable SSO → select SAML and Other.
  2. Fetch the SSO configuration parameters from your IDP’s developer portal.
  3. Paste the values into the relevant fields on the Platform’s SSO page.
  4. Copy ACS URL for SP-initiated SAML flow and ACS URL for IDP-initiated SAML flow from the Platform and paste them into your IDP app settings.
  5. Click Save.

WS-Federation

WS-Federation enables SSO by sharing signed security tokens across different domains. After the IDP authenticates the user, it issues a token that the relying party validates before granting access.

Windows Azure

  1. Go to Single Sign-OnEnable SSO → select WS-Federation and Windows Azure.
  2. On your AD FS server, open AD FS Management → go to ADFSServiceEndpointsMetadata to locate the Federation Metadata URL.
  3. Copy the IdP URL from the metadata and paste it into Azure AD Sign-On Endpoint URL on the Platform.
  4. Paste the Azure Federation Metadata URL into Azure AD Federation Metadata Document on the Platform.
  5. Click Save.

Other WS-Federation Providers

  1. Go to Single Sign-OnEnable SSO → select WS-Federation and Other.
  2. Copy the SSO endpoint URL from your IDP and paste it into AD Sign-On Endpoint URL.
  3. Copy the WS-Federation metadata document URL from your IDP and paste it into AD Federation Metadata Document URL.
  4. Click Save.

OpenID Connect

OpenID Connect (OIDC) is an authentication layer built on OAuth 2.0. The Platform currently supports Google as the OIDC provider.

Google

  1. Go to Single Sign-OnEnable SSO → select OpenID Connect and Sign in with Google.
  2. Click Save.
No further configuration is required. Users authenticate with their Google account credentials.

Authorization Profiles

Authorization (Auth) Profiles define how the Platform authenticates with external web services. Configure profiles once and reuse them across API nodes, AI nodes, and other integrations. Key capabilities:
  • Define auth methods such as OAuth tokens, passwords, and custom parameters
  • Enforce consistent access control across multiple integrations
  • Test connections before putting them into production
  • Reuse profiles to reduce configuration effort

Access Authorization Profiles

  1. Go to Autonomous AgentsSettings.
  2. Click Security & ControlAuthorization Profile.

Supported Auth Types

TypeDescriptionUse Case
OAuth V2Token-based authorization supporting user-interactive flowsThird-party API access (e.g., “Sign in with Google”)
OAuth V2 Client CredentialMachine-to-machine flow using client ID and secret; no user interactionServer-to-server communication, microservices

Add an Auth Profile

  1. On the Authorization Profile page, click Create Authorization Profile (for your first profile) or Add New Auth.
  2. In the New Authorization Mechanism dialog, select the Authorization Type.
  3. Enter the Identity Provider Name (required).
  4. Fill in the required fields (see Field Reference below).
  5. Optionally click + Add Additional Field or + Add Authorization Field.
  6. Click Save New Auth.

Field Reference

FieldDescriptionRequiredAuth Type
Authorization TypeOAuth V2 or OAuth V2 Client CredentialYesBoth
Identity Provider NameName of the IDP, e.g., OktaYesBoth
DescriptionPurpose of the auth profileNoBoth
Callback URLRedirect URL after the user grants or denies permissionYesBoth
Client IDUnique app identifier used by the authorization serverYesBoth
Client SecretConfidential key for authenticating the app with the serverYesBoth
Authorization URLEndpoint where users authenticate and grant permissionsYesOAuth V2 only
Subdomain (Tenancy URL)Tenant-specific URL in multi-tenant systemsYesOAuth V2 only
Token Request URLEndpoint to exchange an auth code for an access tokenYesBoth
ScopeLevel of access requested, e.g., read_profileNoBoth
Refresh Token URLEndpoint to get a new access token when the current one expiresNoOAuth V2 only
Auth Error Status CodeHTTP status code returned on authorization failureNoBoth
Additional FieldsExtra key-value pairs for the end user (e.g., PIN code)NoOAuth V2 only
Authorization FieldsToken-passing fields: Header, Payload, Query String, or Path ParamNoOAuth V2 only
If the Refresh Token URL or refresh token expires, the auth profile will fail wherever it is used. The admin receives an email notification to reconfigure.

Add Additional Fields

Use additional fields to collect supplemental authorization data from end users alongside standard credentials — for example, a PIN code or device ID.
  1. Click + Add Additional Field in the New Authorization Mechanism window.
  2. Enter a Field Key (name, e.g., Pin code) and Field Value (e.g., 2344567).
  3. Click Done.
The field appears in the Additional Fields list where you can edit or delete it.

Add Authorization Fields

Authorization fields define how token data is passed in API requests.
ParameterOptionsRequired
Field TypeHeader, Payload, Query String, Path ParamYes
Field KeyName of the auth field, e.g., Profile_idYes
Field ValueValue for the field, e.g., 123_xyzNo
  1. Click + Add Authorization Field in the New Authorization Mechanism window.
  2. Fill in the fields and click Done.

Test an Auth Profile

Click Test next to a configured profile to verify it establishes a connection with the external service. If the test fails, edit the profile with the correct values and retest.

Manage Auth Profiles

Edit: Click the ellipsis (⋯) menu → Edit → update fields in the Update Authorization Mechanism window → click Update New Auth.
Authorization Type and Name cannot be changed after the profile is created. All other fields are editable.
Delete: Click the ellipsis (⋯) menu → Delete → confirm. Deleted profiles cannot be recovered.

Encryption Key Management

The Platform encrypts all account data. You can use the platform’s built-in key management or integrate with your organization’s external Key Management System (KMS) using Bring Your Own Key (BYOK).
Encryption is configured at the account level. All apps within an account share the same encryption key.

Platform-Managed Encryption

The Platform automatically encrypts all data using built-in keys — no configuration required. Keys rotate every 90 days.

Bring Your Own Key (BYOK)

Use keys stored in your own KMS to control encryption and decryption. The Platform communicates with your external KMS for all cryptographic operations. If your KMS is unavailable, the Platform falls back to default encryption. Supported providers: AWS KMS, Azure Key Vault

Configure BYOK

  1. Go to SettingsKey Management.
  2. Click Configure BYOK.
  3. Select your cloud provider and enter the required configuration details.

Azure Key Vault

Required service principal permissions:
  • Key Vault Crypto Service Encryption User
  • Microsoft.KeyVault/vaults/keys/encrypt/action
  • Microsoft.KeyVault/vaults/keys/decrypt/action
  • Microsoft.KeyVault/vaults/keys/wrap/action
  • Microsoft.KeyVault/vaults/keys/unwrap/action
  • Microsoft.KeyVault/vaults/keys/read
Configuration fields:
FieldDescription
Key Vault URLEndpoint of your Azure Key Vault instance
Tenant IDMicrosoft Entra ID tenant identifier for the Azure subscription where the Key Vault resides
Key NicknameUser-defined label to identify the key in the Platform
Activation DateDate from which the key becomes active and available for use

AWS KMS

Required IAM permissions: 
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "kms:Encrypt",
        "kms:Decrypt",
        "kms:DescribeKey",
        "kms:GenerateDataKey"
      ],
      "Resource": "arn:aws:kms:*:*:key/*",
      "Condition": {
        "StringEquals": {
          "kms:EncryptionContext:tenant_id": "${aws:RequestedRegion}"
        }
      }
    }
  ]
}
Configuration fields:
FieldDescription
ARNAmazon Resource Name that uniquely identifies your AWS KMS key
Role ARNARN of the IAM role that grants the Platform permission to use the KMS key
Key NicknameUser-friendly label to identify the key in the Platform
Activation DateDate from which the key can be used for encryption and decryption

API Scopes

API Scopes replace unrestricted management API keys with permission-limited, scoped keys. Create API apps with specific scopes so each integration only accesses the endpoints it needs. Key rules:
  • API keys are restricted to assigned scopes; requests to other scopes are automatically rejected.
  • Multiple API keys can exist per app.
  • An API key cannot be shared across multiple apps.
  • API keys cannot be modified after creation — only deleted.
  • Each key can only be copied once (copy-once policy).

Access API Scopes

  1. Go to Autonomous AgentsSettings.
  2. Click Security & ControlAPI Scopes.

Supported Scopes

ScopeDescription
Deploy ToolDeploy a specific tool into an environment (sync or async)
Undeploy ToolRemove a deployed tool from an environment
Deploy ModelDeploy an open-source or fine-tuned model in Ready to Deploy state
Undeploy ModelRemove a deployed model from an environment
Import ModelImport a model into the Platform in chunks
Import ToolImport a new tool into the system
Export ModelExport a trained AI model from the system
Export ToolExport a tool’s configuration and associated data
Deploy GuardrailsDeploy guardrails for security and content moderation
Undeploy GuardrailsRemove previously deployed guardrails
View ConnectionsView connection details
Manage ConnectionsCreate and update connections

Create an API App

  1. On the API Scopes page, click Create an API App.
  2. Click Untitled App and enter an app name.
  3. Select the required scopes from the list.
  4. Click Next.

Create an API Key

This step completes the app setup. At least one API key is required.
  1. Click Create API Key.
  2. Enter a key name and click Generate Key.
  3. Click Copy and Close to copy the key.
The API key is shown only once. Save it in a secure location. If lost, you must revoke it and generate a new one — this may disrupt any services currently using the key.
  1. Click Done.
The app summary displays: app name, assigned scopes, creator, and creation date.

Manage Apps and Keys

Rename or update scopes: Hover over the app → click Edit → update the name or select/deselect scopes → click Save. Delete an API key: In the app’s API Keys tab, hover over the key → click Delete → confirm.
Deleting a key that is actively in use will immediately break any services relying on it. Generate a replacement key before deleting if the key is in production use.
Delete an app: Hover over the app → click Delete → confirm. For role and permission details for API-scoped apps, see Role Management.

Custom Scripts

Admins can import, deploy, and manage custom scripts directly from SettingsManage Custom Scripts. Scripts run in isolated containers and can be invoked via the API node endpoint or embedded in the Function node of a tool flow.
CapabilityDescription
Task AutomationAutomate repetitive or complex tasks without manual intervention
Secure API IntegrationCall scripts via API endpoints with key-based authentication
CustomizationImplement business-specific logic and custom workflows
Data ProcessingTransform, filter, or validate data for operational requirements
Error HandlingDefine custom error-checking and fallback mechanisms

Access Custom Scripts

  1. Go to Autonomous AgentsSettings.
  2. Click Manage Custom Scripts in the left menu.

Import and Deploy a Script

Click + Import or + Import New, then complete the four-step wizard.

Step 1: General Details

FieldDetails
Script NameA unique name for the script
DescriptionPurpose and capabilities of the script
Base LanguageJavaScript (v20.19.0) or Python (v3.10.15)
Project File.zip, .gz, or .tar file — max 1 GB
Click Validate after uploading. Resolve any errors before proceeding. Project structure requirements:
  • Include main.py (Python) or main.js (JavaScript) at the archive root — only functions defined in this file are exposed via API.
  • Include requirements.txt (Python) or package.json (JavaScript) at the root if your script has external dependencies.
  • Use relative imports when referencing files within the project.
  • Access environment variables using os.getenv('<key>') in Python or process.env.<key> in JavaScript.
Download the sample project from the wizard to verify your file matches the required structure. Structure differs by language, so use the correct sample for your chosen language.

Step 2: Runtime Settings

SettingDescriptionRange / Default
Environment VariablesKey-value pairs accessible from the script at runtimeCustom
Execution TimeoutMaximum time the script is allowed to run30–600 seconds
Built-in environment variables (always available):
  • UPLOADS_DIR — Read-only access to files uploaded via Public APIs.
  • WORKSPACE_DIR — Read-write directory for the script’s file operations.
Both directories are only accessible while the container is deployed.

Step 3: Resource Allocation

Scaling parameters:
ParameterRangeDefault
Min Replicas1–101
Max Replicas1–101
Average Compute Utilization1–100%75%
Average Compute Utilization is disabled when Min and Max replicas are equal. Hardware profiles:
ProfileActual CPU & MemoryCredits/Hour
1 vCPU / 2 GB0.7 vCPU / 1.1 GB0.077
2 vCPUs / 4 GB1.5 vCPUs / 2.5 GB0.154
2 vCPUs / 8 GB1.5 vCPUs / 6.5 GB0.144
4 vCPUs / 8 GB3.5 vCPUs / 6 GB0.308
4 vCPUs / 16 GB3.5 vCPUs / 13.5 GB0.288

Step 4: Review and Deploy

  1. Review all sections — General Details, Runtime Settings, and Resource Allocation. Click any section to go back and edit.
  2. Accept the Terms and Conditions.
  3. Optionally click Save as Draft to deploy later.
  4. Click Deploy.
After successful deployment, a confirmation email is sent to the admin with the subject “Custom script deployed successfully — API Endpoint Available”, including remaining credits and total allocation.

Script Statuses

StatusDescriptionCan Redeploy?
DraftSaved but not yet deployedNo
DeployingDeployment in progressNo
Ready to DeployConfigured and ready for deploymentYes
DeployedRunning successfully in the environmentYes
Deployment FailedDeployment did not complete successfullyYes
Hover over a Deployment Failed status to see the error reason.

Actions

ActionAvailable WhenDescription
ExportAll statusesDownloads the project as a .zip file to your local system
UndeployDeployedRemoves the script from all deployed locations; status changes to Ready to Deploy
DeleteNot deployedPermanently removes the script and all its data — cannot be undone
RedeployDeployed, Ready to DeployRe-runs the import flow so you can update description, project file, runtime settings, or resource allocation (name, language, and version cannot be changed)
You cannot delete a deployed script. Undeploy it first, then delete.
After a script is undeployed, a confirmation email is sent to the admin with the subject “Your custom script has been undeployed successfully”.

Script Detail Pages

Each script entry has four tabs:
TabWhat It Shows
OverviewCurrent configuration (General Details, Runtime Settings, Resource Allocation) and available actions based on deployment status
Deployment HistoryFull history of deployments and undeployments — version, timestamp, duration, deployed by, and final status. Expand any row for detailed configuration at that point in time
EndpointThe activated endpoint in cURL, JavaScript, and Python formats. Copy any format directly into your application. Only available when the script is in Deployed status
API KeysCreate and manage secret API keys for authenticated access to the script’s endpoint

API Keys for Scripts

  1. Go to the script’s API Keys tab.
  2. Click Create a New API Key.
  3. Enter a name and click Generate Key.
  4. Click Copy and Close.
Secret keys are shown only once. Store the key securely. If lost, delete the key and generate a new one.
To delete a key: hover over it → click the Delete icon → confirm. A deleted key is immediately invalidated.

Use a Script via the API Node

  1. In the API node configuration, click Define Request.
  2. On the script’s Endpoint tab, copy the cURL code.
  3. Paste it into the Edit Request dialog.
  4. Select an Auth Profile if the endpoint requires authentication (or select None).
  5. Add headers (e.g., Content-Type: application/json) and body parameters as needed.
  6. Click Test to validate the request, then Save.
For full API node configuration options, see API Node.