Configuring OAuth providers | Instabase AI Hub Documentation

Enterprise

Enterprise-tier organizations can use their OAuth provider to manage API access using externally generated tokens. Configuring an OAuth provider enables secure authorization for AI Hub API access following OAuth 2.0 standards. When you configure an OAuth provider, AI Hub validates tokens issued by your provider instead of generating its own tokens.

Admins can add and manage OAuth provider configurations. You can add multiple configurations for your organization.

Using externally managed tokens is a two-step process.

Configure an OAuth provider, described below.
Create account mappings for each user or service account that needs tokens.

Both steps must be completed before accounts can use OAuth provider tokens for API access.

Configuration overview

Adding an OAuth provider configuration involves creating OAuth application registrations in your OAuth provider, then adding configuration details to AI Hub. You then create account mappings in AI Hub to link app registrations in your OAuth provider to AI Hub user or service accounts, enabling token-based API authentication.

When a mapped account makes an API request using an externally managed token:

An access token is requested from the OAuth provider.
The OAuth provider issues an access token in the form of a JSON web token (JWT).
The token is included in the AI Hub API request as the bearer token.
AI Hub validates the token signature, issuer, audience, and expiration.
AI Hub looks up the account mapping using the token’s subject claim.
AI Hub authorizes the request based on either:
- The scope claim, if present and valid, which defines the token’s permissions using role UUIDs.
- Or, if no valid scope is provided, the mapped account’s assigned roles and associated permissions.

AI Hub supports flexible OAuth configurations. You can add multiple OAuth provider configurations to your organization, and each user or service account can have multiple account mappings (one per OAuth provider configuration). The number of app registrations you create in your OAuth provider is up to you—AI Hub only requires that each account mapping has a unique subject claim value.

OAuth provider configuration requirements

Review the following requirements for your app registration. The registration process varies by provider. Refer to your OAuth provider’s documentation for specific setup steps.

Audience — The audience identifies the intended recipient of the token (AI Hub). AI Hub provides a suggested audience value in the format api://<organization-id>.<aihub-environment-url> (such as api://company.aihub.instabase.com), or you can define a custom one. Regardless, the audience value defined in your provider and AI Hub must match exactly.
Token claims — Each token must contain claims identifying the subject, expiry, and audience. AI Hub expects these values in the sub, exp, and aud claims, respectively. Tokens can also include an optional scp claim that controls token permissions. You can use custom claims for subject, expiry, and scope; audience must be passed under aud.

Claim mapping

AI Hub expects tokens to include required information in the sub, exp, and aud claims and can optionally include a scp claim. While the aud claim must be used, you can use custom claim names for the others. To let AI Hub know which custom claims to look at, you use claim mapping. If using custom claims, be sure the passed values meet the expected format and requirements.

Claim	Description	Expected format	Notes
subject	The unique identifier for the account. This value must be unique among all account mappings in your organization.	String	Default `sub`, custom claim mapping supported. Primary identifier used to map OAuth tokens to AI Hub accounts. Must match exactly when creating account mappings.
expiry	When the token expires.	Unix timestamp (seconds since epoch)	Default `exp`, custom claim mapping supported. Tokens are rejected after expiration. Industry best practice is 15-60 minutes.
scope	Permissions granted to the token as a space-separated list of role UUIDs.	Space-separated string of role UUIDs	Default `scp`, custom claim mapping supported. Defines the token’s effective organization and workspace roles. When present and valid, scope overrides roles assigned in the AI Hub UI for the lifetime of the token. If scope is omitted or empty, the token uses the mapped account’s assigned roles.
audience	Identifies the intended recipient of the token (AI Hub)	String or array of strings	Must be named `aud` and value must match the audience value configured in AI Hub. This ensures tokens are intended for AI Hub APIs.

Understanding scope permissions

The scope claim uses role UUIDs to control token permissions. Each API endpoint requires specific actions, and each role UUID grants a set of action permissions. Permission sets correspond to organization and workspace roles. When a scope value is set, it overrides the mapped account’s AI Hub-assigned roles for that token. When the scope claim is omitted or empty, the token uses the mapped account’s roles.

AI Hub validates that all scope entries are known prebuilt role UUIDs. The following table lists common organization and workspace role UUIDs:

Role	Type	UUID
Admin	Organization	`00000000-0000-0000-0000-000000000800`
Member	Organization	`00000000-0000-0000-0000-000000000900`
Developer	Workspace	`00000000-0000-0000-0000-000000003000`
Tester	Workspace	`00000000-0000-0000-0000-000000005000`
Review manager	Workspace	`00000000-0000-0000-0000-000000007000`
Reviewer	Workspace	`00000000-0000-0000-0000-000000009000`

There is important behavior to understand when assigning roles through the scope claim:

All tokens must include an organization role. Only defining a workspace role is invalid. As best practice, limit the number of tokens with organization admin access. Unless necessary, use the organization member UUID alongside workspace role UUIDs.
The most permissive role applies. The effective permissions are the union of permissions granted by all included roles. For example, a scope that includes both the organization member and workspace developer role UUIDs grants organization member permissions plus all workspace developer permissions in eligible workspaces.
Both a workspace role and workspace access are required for workspace-scoped actions. A scope claim containing a workspace role alone doesn’t authorize workspace access. For a token to successfully perform a workspace-scoped action, such as running a deployment, the mapped account must be a member of the workspace and have a valid workspace role there.
The scope applies to all accessible workspaces. When using the scope claim, roles apply across all workspaces where the account is a member. You can’t assign different workspace roles per workspace through scope.

Sample scope configurations

See the following examples of scope configurations.

Organization admin — Grants all permissions.

00000000-0000-0000-0000-000000000800

Organization member only — Can access organization-scoped endpoints, no workspace access.

00000000-0000-0000-0000-000000000900

Organization member with workspace developer role — Can perform developer actions in all workspaces where the account is a member.

00000000-0000-0000-0000-000000000900 00000000-0000-0000-0000-000000003000

Organization member with multiple workspace roles (developer and review manager) — Developer is the effective workspace role. Because roles are additive, this configuration is redundant.

00000000-0000-0000-0000-000000000900 00000000-0000-0000-0000-000000003000 00000000-0000-0000-0000-000000007000

Workspace role without organization role — Invalid configuration. The token can’t access resources.

00000000-0000-0000-0000-000000003000

AI Hub configuration requirements

When adding your OAuth provider configuration in AI Hub, you must provide configuration details from your app registration.

Audience — The audience value that identifies AI Hub as the intended recipient of tokens. By default, AI Hub pre-fills this field with a suggested value in the format api://<organization-id>.<aihub-environment-url> (such as api://your-org.instabase.com). You can accept this value or, if you used a custom value in your OAuth provider configuration, edit the field.
Discovery endpoint URL — The OpenID Connect discovery endpoint URL, such as https://<YOUR-PROVIDER-DOMAIN>/.well-known/openid-configuration. This endpoint provides the issuer and JSON web key set (JWKS) URLs automatically and is the recommended approach. If your provider doesn’t support OpenID Connect discovery, you can manually provide the issuer and JWKS URLs instead.
- Issuer URL — The OAuth provider’s issuer identifier, such as https://<YOUR-PROVIDER-DOMAIN>/.
- JWKS URL — The JSON web key set endpoint URL used to validate token signatures, such as https://<YOUR-PROVIDER-DOMAIN>/.well-known/jwks.json.

Finding the discovery endpoint URL

The following table outlines where you can find the discovery endpoint URL in select OAuth providers. The accuracy of this table isn’t guaranteed, as external product user interfaces aren’t closely monitored.

OAuth provider	Discovery endpoint URL
Auth0	`https://<YOUR-AUTH0-DOMAIN>/.well-known/openid-configuration`
Google Workspace	`https://accounts.google.com/.well-known/openid-configuration`
JumpCloud	`https://oauth.id.jumpcloud.com/.well-known/openid-configuration`
Microsoft Entra ID	OpenID Connect Metadata Document, available under App registration > Overview > Endpoints. By default, the copied endpoint is for v2.0 tokens, for example: `https://login.microsoftonline.com/<TENANT_ID>/v2.0/.well-known/openid-configuration`. If using v1.0 tokens, adjust the value to remove `/v2.0`, for example: `https://login.microsoftonline.com/<TENANT_ID>/.well-known/openid-configuration`
Okta	`https://<YOUR-OKTA-DOMAIN>/oauth2/default/.well-known/openid-configuration`
OneLogin	`https://<YOUR-ONELOGIN-DOMAIN>/oidc/2/.well-known/openid-configuration`
PingFederate	`https://<YOUR-PINGFEDERATE-DOMAIN>/.well-known/openid-configuration`

Adding OAuth provider configurations

Before you begin

External OAuth provider configuration must be enabled for your organization. Contact Instabase Support if you need this feature enabled.

In the header, click the initials icon and select Settings. Select the Identity & access tab.
Under Externally managed API authorization, click Add configuration.
Add a display name to identify the configuration.
Select an OAuth provider. Select Custom if your provider isn’t listed.
Provide the discovery endpoint URL to allow AI Hub to look up the issuer URL and JWKS URL. Or, click Configure with issuer URL and JWKS URL to define these values yourself.
Review or update the Audience value. If accepting the suggested value, proceed. If you defined a custom audience value in your provider configuration, edit the field. The audience values configured in your OAuth provider and AI Hub must match exactly.
(Optional) Configure claim mappings if your OAuth provider configuration uses custom claim names.
- Subject — The claim containing the unique external account identifier. Default sub.
- Expiration — The claim containing the token expiration time. Default exp.
- Scope — The claim containing the token scope. Default scp.
Click Save.

You can now test your configuration by creating an account mapping and making a test API request.

Testing OAuth provider configurations

Your configuration doesn’t undergo automatic validation, so it must be tested by creating an account mapping linked to your configured provider, then requesting a token for the mapped account. The following procedure walks you through creating a service account and requesting a token using the client credentials flow.

Before you begin

Create a client secret for your app registration and record the client secret ID and client secret value.
Create a service account and add it to a shared workspace. Assign the account the developer workspace role to ensure it has the required permissions for the test AI Hub API call.

Request an API access token from your OAuth provider’s token endpoint using the client credentials grant type.

Most OAuth providers include testing functionality where you can get a sample token using your app registration credentials. If not, you can construct a request similar to the following and send it to the token endpoint URL.

$ curl --request POST "<OAUTH-PROVIDER-TOKEN-ENDPOINT>" \
>      --header "Content-Type: application/json" \
>      --data '{
>        "client_id": "<CLIENT-ID>",
>        "client_secret": "<CLIENT-SECRET>",
>        "audience": "<AUDIENCE>",
>        "grant_type": "client_credentials",
>      }'

The token endpoint URL varies by provider. Common formats include:

Auth0 — https://<YOUR-DOMAIN>.auth0.com/oauth/token
Okta — https://<YOUR-DOMAIN>/oauth2/default/v1/token
Microsoft Entra ID — https://login.microsoftonline.com/<TENANT_ID>/oauth2/v2.0/token (v2.0 tokens) or https://login.microsoftonline.com/<TENANT_ID>/oauth2/token (v1.0 tokens)

Refer to your OAuth provider’s documentation for the correct endpoint.

Inspect the token using a JWT decoder, such as jwt.io, and extract the external account identifier passed in the subject claim (sub, unless configured otherwise).
Using the identifier, add an account mapping for the service account.

Make an API request to AI Hub using the provided token. The create batch endpoint works well for testing. Be sure to specify the name of the shared workspace you added the service account to.

$ curl --request POST "<API-ROOT>/v2/batches" \
>      --header "Authorization: Bearer <ACCESS-TOKEN>" \
>      --header "IB-Context: <ORGANIZATION-ID>" \
>      --header "Content-Type: application/json" \
>      --data '{
>        "name": "test",
>        "workspace": "<WORKSPACE-NAME>"
>      }'

If the request succeeds and returns a batch ID, your configuration is working correctly. If you encounter any issues, review all configuration settings and ensure the following:

The audience value in AI Hub matches your OAuth provider configuration and is being passed in the aud claim.
Claim mappings are correct if using custom claim names.
The external account identifier in the mapping matches the subject claim in your token (typically sub).

What's next

After verifying your configuration is working as expected, you can start setting up account mappings for users and service accounts in your organization. For each account that needs external tokens, create an account mapping.
You can optionally disable the ability to create AI Hub-managed tokens to enforce OAuth provider tokens for all API access. Before disabling token creation, ensure all accounts that need API access have a valid account mapping.

Updating OAuth provider configurations

Select configuration changes are supported after initial setup.

In the header, click the initials icon and select Settings. Select the Identity & access tab.
In the OAuth provider configurations list, hover over the configuration, then click the overflow icon and select Edit configuration.
Make any changes, then click Save changes.
Test your updated configuration.

Disabling and deleting OAuth provider configurations

You can disable or delete your configuration. Disabling a configuration removes it as a supported authentication option for API access, but the configuration is preserved and can later be re-enabled. When re-enabled, all previously created account mappings are also restored. Deleting a configuration permanently removes it and all associated account mappings.

In the header, click the initials icon and select Settings. Select the Identity & access tab.
In the OAuth provider configurations list, hover over the configuration, then click the overflow icon and select Disable configuration or Delete configuration.
Click Disable or Delete to confirm.

To re-enable a configuration, click the overflow icon

, then select Enable configuration.