Documentation menu

DOCUMENTATION

Authentication & SSO

Identity in EquanimGRC is anchored in your organization's own identity provider. People sign in through it, API clients and agents present tokens it issues, and the application validates every token before it does anything. EquanimGRC is the authority on what a given identity is allowed to do; it is not the authority on who you are.

Signing in

The control plane handles authentication and single sign-on through a self-hostedAuthentik instance. When you sign in, the control plane authenticates you and hands you into the data-plane application with a short-lived, signed token; the application verifies that signature and establishes your session in your tenant. The hand-off is signed end to end — there is no shared-secret fallback — so a session can only originate from a real sign-in.

API clients

Programmatic access uses bearer tokens issued by your Authentik instance. The data-plane API acts as an OAuth 2.1 resource server: it verifies each token's signature against the published JWKS, checks the issuer, audience, and expiry, and resolves the token's subject to a known identity in the named tenant. A token that fails any of those checks is rejected before it reaches your data. Tokens are scoped to the minimum permissions a client needs.

Agents and service accounts

Machine agents authenticate as a service principal — a first-class, non-human identity provisioned in a single tenant, using client credentials rather than a browser sign-in. The same token verification applies, and a service principal that has been disabled stops working immediately. Because agents carry their own identity, every action they take is attributable to them in the audit trail. See Agents & evidence and Connect via MCP.

Tenant scoping

Every identity — person or machine — belongs to exactly one tenant, and every token names a subject provisioned in that tenant. There is no token that spans tenants, so authentication and isolation reinforce each other: who you are and which workspace you can touch are decided together. See Roles & data isolation.