Authorization

Configure authentication and secrets management for your AI connection endpoint.

Overview

The Authorization tab of your AI Connection lets you configure authentication for requests to your AI app endpoint. It has two sections: Secrets Manager and Authentication.

Configure authentication for your endpoint

Secrets Manager

A secrets manager lets you securely retrieve authentication credentials at runtime from a cloud vault, instead of storing them directly on the platform.

To enable a secrets manager:

  1. Toggle the secrets manager on
  2. Select a provider (e.g. Azure Key Vault)
  3. Enter your Vault URL (e.g., https://your-vault.vault.azure.net)
  4. Enter your Tenant ID, Client ID, and Client Secret to authenticate to the vault

For self-hosted deployments, the secrets manager is always enabled and uses managed identities for authentication, so no secrets provider credentials are required.

Authentication

Select an authentication type from the dropdown:

TypeDescription
NoneNo authentication is applied
Auth0Exchanges client credentials for a Bearer token via Auth0’s OAuth2 client credentials flow
HMACComputes an HMAC-SHA256 signature of the request payload and sends it as a header

Auth0 requires the following fields:

FieldDescription
Auth0 DomainYour Auth0 tenant domain (e.g., your-tenant.auth0.com)
AudienceThe API identifier this token is authorized to access
Client ID / Client ID NameYour Auth0 application client ID, or the name of the secret in your vault if using a secrets manager
Client Secret / Client Secret NameYour Auth0 application client secret, or the name of the secret in your vault if using a secrets manager

HMAC requires the following fields:

FieldDescription
Header KeyThe HTTP header name where the signature is sent (e.g., X-Signature)
Signature PrefixAn optional prefix prepended to the signature (e.g., sha256=)
Secret Key / Secret NameThe signing key, or the name of the secret in your vault if using a secrets manager

You can use a secrets manager with Auth0 to store your client credentials in a key vault. Instead of entering the actual Client ID and Client Secret, provide the names of the secrets in your vault and they will be retrieved at runtime.

Next Steps

With authorization configured, your AI connection can securely reach protected endpoints. Next, learn how to handle multi-turn evaluations and link results back to traces.