Configuring OAuth providers | Instabase AI Hub Documentation

Enterprise

Enterprise-tier organizations can use their OAuth provider to manage API access using externally generated tokens. Configuring an OAuth provider enables secure authorization for AI Hub API access following OAuth 2.0 standards. When you configure an OAuth provider, AI Hub validates tokens issued by your provider instead of generating its own tokens.

Admins can add and manage OAuth provider configurations.

Using externally managed tokens is a two-step process.

Configure an OAuth provider, described below.
Create account mappings for each user or service account that needs tokens.

Both steps must be completed before accounts can use OAuth provider tokens for API access.

Configuration overview

Adding an OAuth provider configuration involves creating OAuth application registrations in your OAuth provider, then adding configuration details to AI Hub. You then create account mappings in AI Hub to link app registrations in your OAuth provider to AI Hub user or service accounts, enabling token-based API authentication.

When a mapped account makes an API request using an externally managed token:

An access token is requested from the OAuth provider.
The OAuth provider issues an access token in the form of a JSON web token (JWT).
The token is included in the AI Hub API request as the bearer token.
AI Hub validates the token signature, issuer, audience, and expiration.
AI Hub looks up the account mapping using the token’s subject claim.
AI Hub authorizes the request based on the mapped account’s assigned roles and associated permissions.

AI Hub supports flexible OAuth configurations. You can add multiple OAuth provider configurations to your organization, and each user or service account can have multiple account mappings (one per OAuth provider configuration). The number of app registrations you create in your OAuth provider is up to you—AI Hub only requires that each account mapping has a unique subject claim value.

OAuth provider configuration requirements

Review the following requirements for your app registration. The registration process varies by provider. Refer to your OAuth provider’s documentation for specific setup steps.

Audience — The audience identifies the intended recipient of the token (AI Hub). AI Hub provides a suggested audience value in the format api://<organization-id>.<aihub-environment-url> (such as api://company.aihub.instabase.com), or you can define a custom one. Regardless, the audience value defined in your provider and AI Hub must match exactly.
Token claims — Each token must contain claims identifying the subject, expiry, and audience. AI Hub expects these values in the sub, exp, and aud claims, respectively. You can use custom claims for subject and expiry; audience must be passed under aud.

Claim mapping

AI Hub expects tokens to include required information in the sub, exp, and aud claims. While the aud claim must be used, you can use custom claim names for the others. To let AI Hub know which custom claims to look at, you use claim mapping. If using custom claims, be sure the passed values meet the expected format and requirements.

Claim	Description	Expected format	Notes
subject	The unique identifier for the account. This value must be unique among all account mappings in your organization.	String	Default `sub`, custom claim mapping supported. Primary identifier used to map OAuth tokens to AI Hub accounts. Must match exactly when creating account mappings.
expiry	When the token expires.	Unix timestamp (seconds since epoch)	Default `exp`, custom claim mapping supported. Tokens are rejected after expiration. Industry best practice is 15—60 minutes.
audience	Identifies the intended recipient of the token (AI Hub)	String or array of strings	Must be named `aud` and value must match the audience value configured in AI Hub. This ensures tokens are intended for AI Hub APIs.

AI Hub configuration requirements

When adding your OAuth provider configuration in AI Hub, you must provide configuration details from your app registration.

Audience — The audience value that identifies AI Hub as the intended recipient of tokens. By default, AI Hub pre-fills this field with a suggested value in the format api://<organization-id>.<aihub-environment-url> (such as api://your-org.instabase.com). You can accept this value or, if you used a custom value in your OAuth provider configuration, edit the field.
Discovery endpoint URL — The OpenID Connect discovery endpoint URL, such as https://<YOUR-PROVIDER-DOMAIN>/.well-known/openid-configuration. This endpoint provides the issuer and JSON web key set (JWKS) URLs automatically and is the recommended approach. If your provider doesn’t support OpenID Connect discovery, you can manually provide the issuer and JWKS URLs instead.
- Issuer URL — The OAuth provider’s issuer identifier, such as https://<YOUR-PROVIDER-DOMAIN>/.
- JWKS URL — The JSON web key set endpoint URL used to validate token signatures, such as https://<YOUR-PROVIDER-DOMAIN>/.well-known/jwks.json.

Finding the discovery endpoint URL

The following table outlines where you can find the discovery endpoint URL in select OAuth providers. The accuracy of this table isn’t guaranteed, as external product user interfaces aren’t closely monitored.

OAuth provider	Discovery endpoint URL
Auth0	`https://<YOUR-AUTH0-DOMAIN>/.well-known/openid-configuration`
Google Workspace	`https://accounts.google.com/.well-known/openid-configuration`
JumpCloud	`https://oauth.id.jumpcloud.com/.well-known/openid-configuration`
Microsoft Entra ID	OpenID Connect Metadata Document, available under App registration > Overview > Endpoints. By default, the copied endpoint is for v2.0 tokens, for example: `https://login.microsoftonline.com/<TENANT_ID>/v2.0/.well-known/openid-configuration`. If using v1.0 tokens, adjust the value to remove `/v2.0`, for example: `https://login.microsoftonline.com/<TENANT_ID>/.well-known/openid-configuration`
Okta	`https://<YOUR-OKTA-DOMAIN>/oauth2/default/.well-known/openid-configuration`
OneLogin	`https://<YOUR-ONELOGIN-DOMAIN>/oidc/2/.well-known/openid-configuration`
PingFederate	`https://<YOUR-PINGFEDERATE-DOMAIN>/.well-known/openid-configuration`

Adding OAuth provider configurations

Before you begin

External OAuth provider configuration must be enabled for your organization. Contact Instabase Support if you need this feature enabled.

In the header, click the initials icon and select Settings. Select the Identity & access tab.
Under Externally managed API authorization, click Add configuration.
Add a display name to identify the configuration.
Select an OAuth provider. Select Custom if your provider isn’t listed.
Provide the discovery endpoint URL to allow AI Hub to look up the issuer URL and JWKS URL. Or, click Configure with issuer URL and JWKS URL to define these values yourself.
Review or update the Audience value. If accepting the suggested value, proceed. If you defined a custom audience value in your provider configuration, edit the field. The audience values configured in your OAuth provider and AI Hub must match exactly.
(Optional) Configure claim mappings if your OAuth provider configuration uses custom claim names.
- Subject — The claim containing the unique external account identifier. Default sub.
- Expiration — The claim containing the token expiration time. Default exp.
Click Save.

You can now test your configuration by creating an account mapping and making a test API request.

Testing OAuth provider configurations

Your configuration doesn’t undergo automatic validation, so it must be tested. You can test with a service account using the client credentials flow.

Before you begin

Create a client secret for your app registration and record the client secret ID and client secret value.
Create a service account and add it to a shared workspace. Assign the account the developer workspace role to ensure it has the required permissions for the test AI Hub API call.

Request an API access token from your OAuth provider’s token endpoint using the client credentials grant type.

Most OAuth providers include testing functionality where you can get a sample token using your app registration credentials. If not, you can construct a request similar to the following and send it to the token endpoint URL.

$ curl --request POST "<OAUTH-PROVIDER-TOKEN-ENDPOINT>" \
>      --header "Content-Type: application/json" \
>      --data '{
>        "client_id": "<CLIENT-ID>",
>        "client_secret": "<CLIENT-SECRET>",
>        "audience": "<AUDIENCE>",
>        "grant_type": "client_credentials"
>      }'

The token endpoint URL varies by provider. Common formats include:

Auth0 — https://<YOUR-DOMAIN>.auth0.com/oauth/token
Okta — https://<YOUR-DOMAIN>/oauth2/default/v1/token
Microsoft Entra ID — https://login.microsoftonline.com/<TENANT_ID>/oauth2/v2.0/token (v2.0 tokens) or https://login.microsoftonline.com/<TENANT_ID>/oauth2/token (v1.0 tokens)

Refer to your OAuth provider’s documentation for the correct endpoint.

Inspect the token using a JWT decoder, such as jwt.io, and extract the external account identifier passed in the subject claim (sub, unless configured otherwise).
Using the identifier, add an account mapping for the service account.

Make an API request to AI Hub using the provided token. The create batch endpoint works well for testing. Be sure to specify the name of the shared workspace you added the service account to.

$ curl --request POST "<API-ROOT>/v2/batches" \
>      --header "Authorization: Bearer <ACCESS-TOKEN>" \
>      --header "IB-Context: <ORGANIZATION-ID>" \
>      --header "Content-Type: application/json" \
>      --data '{
>        "name": "test",
>        "workspace": "<WORKSPACE-NAME>"
>      }'

If the request succeeds and returns a batch ID, your configuration is working correctly. If you encounter any issues, review all configuration settings and ensure the following:

The audience value in AI Hub matches your OAuth provider configuration and is being passed in the aud claim.
Claim mappings are correct if using custom claim names.
The external account identifier in the mapping matches the subject claim in your token (typically sub).

What's next

After verifying your configuration is working as expected, you can start setting up account mappings for users and service accounts in your organization. For each account that needs external tokens, create an account mapping.
You can optionally disable the ability to create AI Hub-managed tokens to enforce OAuth provider tokens for all API access. Before disabling token creation, ensure all accounts that need API access have a valid account mapping.

Updating OAuth provider configurations

Select configuration changes are supported after initial setup.

In the header, click the initials icon and select Settings. Select the Identity & access tab.
In the OAuth provider configurations list, hover over the configuration, then click the overflow icon and select Edit configuration.
Make any changes, then click Save changes.
Test your updated configuration.

Disabling and deleting OAuth provider configurations

You can disable or delete your configuration. Disabling a configuration removes it as a supported authentication option for API access, but the configuration is preserved and can later be re-enabled. When re-enabled, all previously created account mappings are also restored. Deleting a configuration permanently removes it and all associated account mappings.

In the header, click the initials icon and select Settings. Select the Identity & access tab.
In the OAuth provider configurations list, hover over the configuration, then click the overflow icon and select Disable configuration or Delete configuration.
Click Disable or Delete to confirm.

To re-enable a configuration, click the overflow icon

, then select Enable configuration.