Authentication & Authorization

SSO, RBAC, MFA, SCIM provisioning, and access control in Future AGI.

Authentication Methods

Future AGI supports multiple authentication methods to fit your organization’s security requirements:

  • Email and password — Available on all plans. Passwords must meet minimum complexity requirements (12+ characters, mixed case, numbers, and symbols).
  • Google OAuth — Available on all plans. Delegates authentication to Google’s identity platform.
  • SAML SSO — Available on Enterprise plans. Integrate with your existing identity provider for centralized access management.

Multi-Factor Authentication (MFA)

MFA adds a second layer of verification beyond passwords. Future AGI supports TOTP-based authenticator apps (Google Authenticator, Authy, 1Password, etc.). Organization owners on Team plans and above can enforce MFA for all members, ensuring no account relies on password-only authentication.

SCIM Provisioning

Enterprise customers can automate user lifecycle management through SCIM 2.0. Supported identity providers include:

  • Okta
  • Azure Active Directory (Entra ID)
  • Google Workspace
  • OneLogin

SCIM provisioning enables automatic user creation, role assignment, and deprovisioning when team members join or leave your organization.

Role-Based Access Control (RBAC)

Future AGI implements granular RBAC with four predefined roles:

RolePermissions
OwnerFull access. Manage billing, organization settings, SSO configuration, and member roles.
AdminCreate and manage projects, evaluations, guardrails, datasets, and API keys. Cannot modify billing or SSO.
MemberView and interact with traces, run evaluations, annotate data, and use the Command Center. Cannot manage project settings or API keys.
ViewerRead-only access to dashboards, traces, and evaluation results. Cannot modify any resources.

Roles are assigned at the organization level and can be scoped to specific projects on Enterprise plans.

API Key Management

API keys are used to authenticate SDK and API access. Keys can be created, rotated, and revoked from the project settings. Each key is scoped to a single project and inherits the permissions of the user who created it. We recommend rotating API keys every 90 days.

Session Management

Authenticated sessions use JWT tokens with a 24-hour expiration. Sessions are invalidated on password change or explicit logout. Idle sessions are automatically terminated after 30 minutes of inactivity on Enterprise plans.

Audit Logs

Enterprise customers receive comprehensive audit logs covering authentication events, resource modifications, API key operations, and administrative actions. Audit logs are retained for 12 months and can be exported for compliance and forensic analysis.

Questions?

Reach out to our security team.

security@futureagi.com

Request documents

SOC 2 report, DPA, pen test summary.

Request documents →