Braintrust has a unique architecture which involves deploying your API endpoints and data in your own cloud environment. These endpoints are secured so that only users from your organization can access them. In fact, you could even run these endpoints in a VPN that Braintrust's servers can't access, and the application will work! This guide walks through how your users and services are able to authenticate within this architecture.

End-user authentication

The most common form of authentication is end-user authentication to the Braintrust application. Users authenticate with your enterprise's identity provider (e.g. Google, Okta) and receive credentials directly to their browser. These credentials are later used to communicate with the Braintrust API endpoint deployed in your cloud.

API authentication

You can authenticate on behalf of users in your experiments or services using an API key. Braintrust API keys inherit their user's permissions, and essentially are another way to authenticate as a user. To increase security, API keys are not stored anywhere, and are only displayed to the user once. If you lose an API key, you will need to generate a new one (and can deactivate the old one).

You can create an API key on the settings page.