End-user authentication
The most common form of authentication is end-user authentication to the Braintrust application. Users authenticate with your enterprise’s identity provider (e.g. Google, Okta) and receive credentials directly to their browser. These credentials are later used to communicate with the Braintrust API endpoint deployed in your cloud.API authentication
You can authenticate on behalf of users in your experiments or services using an API key. Braintrust API keys inherit their user’s permissions, and essentially are another way to authenticate as a user. To increase security, API keys are stored as one-way cryptographic hashes and cannot be recovered. The actual key is only displayed once upon creation. If you lose an API key, you will need to generate a new one (and can deactivate the old one). You can create an API key by going to Settings, then under Organization, select API keys.MCP authentication
The Braintrust MCP (Model Context Protocol) server uses API key or OAuth 2.0 authentication, depending on the AI tool used to access the server. When AI tools use OAuth 2.0 to authentication, they:- Initiate an OAuth authorization flow.
- Redirect users to authenticate with their Braintrust account.
- Receive for API requests.
- Use to maintain long-lived sessions.
Configure SSO
Make it easy for your team to access Braintrust with your company’s existing login system. We use Clerk behind the scenes to support several SSO/SAML providers:SSO
- Microsoft
SAML
- Okta Workforce
- Microsoft Entra ID
- Google Workspace
- Custom SAML provider
OpenID Connect (OIDC)
- Custom OIDC provider