Authentication

User and service authentication methods.

User Authentication

Method	Status
Email/password	Supported
Okta SSO	Supported
Google Workspace	Supported
Azure AD	Coming Soon

MFA available via TOTP (Google Authenticator, Authy).

Sessions

JWT tokens with RS256 signing
Configurable expiry (default: 24 hours)
Automatic refresh for active sessions
Admins can revoke sessions

API Keys

Available soon. Keys will be scoped (chat, tools, documents, admin) and revocable.

Control Plane ↔ Data Plane

JWT authentication on every request
1 hour token expiry (refreshed automatically)
RS256 signature verified using CorpAI public key
Tokens include org_id for tenant isolation

IRSA

Pods access AWS services via IAM Roles for Service Accounts:

No static credentials
Scoped to specific service accounts
Automatic rotation

Next

Network Security →

Last updated on January 14, 2026

Encryption Network Security