Braintrust has a unique architecture which involves deploying your API endpoints
and data in your own cloud environment. These endpoints are secured so that only users from your organization can access
them. In fact, you could even run these endpoints in a VPN that Braintrust’s servers can’t access, and the application
will work! This guide walks through how your users and services are able to authenticate within this architecture.
The most common form of authentication is end-user authentication to the Braintrust application. Users authenticate with
your enterprise’s identity provider (e.g. Google, Okta) and receive credentials directly to their browser. These credentials
are later used to communicate with the Braintrust API endpoint deployed in your cloud.
You can authenticate on behalf of users in your experiments or services using an API key. Braintrust API keys
inherit their user’s permissions, and essentially are another way to authenticate as a user. To increase security,
API keys are not stored anywhere, and are only displayed to the user once. If you lose an API key, you will need
to generate a new one (and can deactivate the old one).You can create an API key on the settings page.
Make it easy for your team to access Braintrust with your company’s existing login system. We use Clerk behind the scenes to support several SSO/SAML providers:
To get set up, email us at [email protected] to exchange the appropriate configuration URLs. Once everything’s configured, we’ll turn it on for your domain and your team can start signing in using their regular work credentials.
