Authentication

Authentication methods

Union.ai supports three authentication methods, each designed for a different use case.

Method Identity Type Credentials Use Case
OIDC Human user Browser SSO UI access, initial CLI login
API Keys Application identity Static bearer token CI/CD scripts, simple automation
Service Accounts Application identity OAuth2 client_id + client_secret -> short-lived token Production pipelines, multi-service systems

Service accounts are provisioned by the platform, creating OAuth2 applications with distinct, auditable identities independent of any human user.

Single sign-on

Union.ai uses OAuth2 / OIDC for SSO. Customers can configure any OIDC or SAML 2.0 compliant identity provider (Google Workspace, Microsoft Entra ID, Okta, etc.). SSO provides centralized identity management where the user lifecycle is managed in the customer’s IdP. MFA enforcement is delegated to the customer’s IdP, so the customer’s existing MFA policies apply without additional configuration. Session management is inherited from the IdP configuration, and all authentication events are logged with caller identity.

Verification

SSO and credential lifecycle

Reviewer focus: Confirm that SSO redirects to the customer’s IdP, that MFA is enforced when configured, and that API keys and service accounts can be created, used, and revoked.

How to verify:

  1. SSO: Log in. The browser redirects to the customer’s IdP, and an MFA prompt appears if configured.

  2. API key: Create a key, use it in a script, then revoke it:

    flyte create api-key --name <key-name>
# Use the key in a script to authenticate
flyte delete api-key <key-name>
# Confirm the revoked key is rejected

  3. Application identity: flyte create api-key provisions OAuth application credentials (an OAuth2 client_id + client_secret, encoded into the API key) with a distinct, auditable identity independent of any human user:

    flyte create api-key --name <app-name>

    Show the OAuth2 token exchange and confirm the application appears as a distinct identity in the audit log. Use flyte create assignment to bind policies that scope what the identity can do.

This verification is fully self-service.