Braintrust has a unique architecture which involves deploying your API endpoints
and data in your own cloud environment. These endpoints are secured so that only users from your organization can access
them. In fact, you could even run these endpoints in a VPN that Braintrust’s servers can’t access, and the application
will work! This guide walks through how your users and services are able to authenticate within this architecture.
The most common form of authentication is end-user authentication to the Braintrust application. Users authenticate with
your enterprise’s identity provider (e.g. Google, Okta) and receive credentials directly to their browser. These credentials
are later used to communicate with the Braintrust API endpoint deployed in your cloud.
You can authenticate on behalf of users in your experiments or services using an API key. Braintrust API keys
inherit their user’s permissions, and essentially are another way to authenticate as a user. To increase security,
API keys are not stored anywhere, and are only displayed to the user once. If you lose an API key, you will need
to generate a new one (and can deactivate the old one).You can create an API key by going to Settings, then under Organization, select API keys.
Model Context Protocol (MCP) servers use OAuth 2.0 for authentication. When AI tools connect to Braintrust’s MCP server, they:
Initiate an OAuth authorization flow.
Redirect users to authenticate with their Braintrust account.
Receive access tokens for API requests.
Use refresh tokens to maintain long-lived sessions.
This authentication method inherits your organization’s security policies and SSO configuration. MCP OAuth tokens follow the same permission model as your user account, providing access only to projects and resources you can normally access.
Make it easy for your team to access Braintrust with your company’s existing login system. We use Clerk behind the scenes to support several SSO/SAML providers:
To get set up, email us at [email protected] to exchange the appropriate configuration URLs. Once everything’s configured, we’ll turn it on for your domain and your team can start signing in using their regular work credentials.
