For AI agents: a documentation index is available at the root level at /llms.txt and /llms-full.txt. Append /llms.txt to any URL for a page-level index, or .md for the markdown version of any page.
Logo
AI Hub
OverviewApp editorFlow editorAdminAPI & SDK
OverviewApp editorFlow editorAdminAPI & SDK
  • Administration
    • About administration tools
    • Account settings
    • Organization settings
    • User and access management
    • Identity and security
      • Configuring SAML SSO for multi-tenant AI Hub
      • Configuring SAML SSO for single-tenant AI Hub
      • Configuring OIDC SSO for multi-tenant AI Hub
      • Configuring OIDC SSO for single-tenant AI Hub
      • Configuring OAuth providers
      • Adding OAuth account mappings
      • Managing secrets
      • Viewing audit logs
    • Data connections
    • Billing and usage
    • Network architecture
AI Hub
On this page
  • Adding account mappings
  • Updating account mappings
  • Deleting account mappings
AdministrationIdentity and security

Adding OAuth account mappings

Was this page helpful?
Built with
Enterprise

Enterprise-tier organizations can use their OAuth provider to manage API access using externally generated tokens. After configuring an OAuth provider, create account mappings to link AI Hub accounts to external identities. When an API request is made with an externally managed token, AI Hub validates the token and extracts the subject claim to identify the account. The request is then authorized based on either:

  • The token’s scope claim, if present and valid, which defines role-based permissions for the token.

  • Or, if no valid scope is provided, the mapped account’s assigned roles and associated permissions.

Admins can add and manage OAuth account mappings.

Adding account mappings

Adding account mappings is similar for user and service accounts. Each mapping connects an AI Hub account to a unique external account identifier in your OAuth provider. Each account can have one mapping per configured OAuth provider.

Before you begin

Before adding account mappings, ensure you have:

  • Configured an OAuth provider for your organization.

  • Taken note of external account identifiers for each user or service account you want to map. This identifier must match the value passed in the issued token’s subject claim.

AI Hub looks for the subject in the sub claim, unless configured otherwise.

  1. In the header, click the initials icon and select Settings. Select the organization name tab.

  2. For user accounts, on the Members tab, select the user account to map. For service accounts, on the Service accounts tab, select the service account to map.

  3. In the OAuth account mappings section, click Add mapping.

  4. Add a display name to identify the mapping.

  5. Select an OAuth provider configuration.

  6. Enter the external account identifier.

  7. Click Add mapping.

Updating account mappings

You can update the display name of an account mapping.

The external account identifier and OAuth provider can’t be changed for existing mappings. To update these values, delete the mapping and create a new one.

  1. In the header, click the initials icon and select Settings. Select the organization name tab.

  2. Select the Members or Service accounts tab.

  3. Select the user or service account with the mapping to update.

  4. In the OAuth account mappings section, locate the mapping to update. Click the overflow icon Icon with three stacked vertical dots., then select Edit mapping.

  5. Make any changes, then click Update mapping.

Deleting account mappings

Deleting an account mapping immediately revokes the ability to use OAuth tokens associated with that external account identifier. Active tokens are invalidated on their next use.

  1. In the header, click the initials icon and select Settings. Select the organization name tab.

  2. Select the Members or Service accounts tab.

  3. Select the user or service account with the mapping to delete.

  4. In the OAuth account mappings section, locate the mapping to delete. Click the overflow icon Icon with three stacked vertical dots., then select Delete mapping.

  5. Enter the confirmation text, then click Delete to confirm.

To delete all mappings, navigate to the OAuth account mappings section of the account’s details page, then click More > Delete all mappings.