Authentication

Introduction

Braintrust has a unique architecture which involves deploying your API endpoints and data in your own cloud environment. These endpoints are secured so that only users from your organization can access them. In fact, you could even run these endpoints in a VPN that Braintrust's servers can't access, and the application will work! This guide walks through how your users and services are able to authenticate within this architecture.

End-user authentication

The most common form of authentication is end-user authentication to the Braintrust application. Users authenticate with your enterprise's identity provider (e.g. Google, Okta) and receive credentials directly to their browser. These credentials are later used to communicate with the Braintrust API endpoint deployed in your cloud.

API authentication

You can authenticate on behalf of users in your experiments or services using an API key. Braintrust API keys inherit their user's permissions, and essentially are another way to authenticate as a user. To increase security, API keys are not stored anywhere, and are only displayed to the user once. If you lose an API key, you will need to generate a new one (and can deactivate the old one).

You can create an API key on the settings page.

Configuring SSO

Make it easy for your team to access Braintrust with your company's existing login system. We use Clerk behind the scenes to support several SSO/SAML providers:

SSO

• Google
• Microsoft

SAML

• Okta Workforce
• Microsoft Entra ID
• Google Workspace
• Custom SAML provider

OpenID Connect (OIDC)

• Custom OIDC provider

We'll help you get set up— just email us at support@braintrust.dev to exchange the appropriate configuration URLs. Once everything's configured, we'll turn it on for your domain and your team can start signing in using their regular work credentials.