Authentication & Authorization
How authentication and authorization work in Fabric AI, including sign-in methods, session management, and role-based access control.
Fabric AI provides secure authentication with support for multiple sign-in methods and organization-level access control.
Authentication Methods
Fabric supports the following sign-in methods:
| Method | Description |
|---|---|
| Email & Password | Traditional sign-up with email verification |
| Magic Link | Passwordless login via email |
| Passkey | WebAuthn/FIDO2 biometric authentication |
| Two-Factor (2FA) | TOTP-based second factor |
| Google OAuth | Sign in with Google account |
| GitHub OAuth | Sign in with GitHub account |
| Microsoft OAuth | Sign in with Microsoft account |
Session Management
The API uses session-based authentication. When a user signs in, a secure session is created:
- User authenticates via one of the supported methods
- A session is created and stored securely
- A secure HTTP-only cookie is set on the client
- Subsequent API requests include the cookie automatically
- Each request validates the session before proceeding
Sessions are configured with configurable expiration and support account linking (users can link multiple OAuth providers to one account).
Authorization Levels
API endpoints have different authorization levels:
| Level | Description | Example |
|---|---|---|
| Public | No authentication required | Contact forms, newsletter signup |
| Authenticated | Requires a valid session | Profile settings, AI chat |
| Tenant-Scoped | Authenticated with automatic data isolation | Projects, documents, workflows |
| Admin | Requires admin role | User management, system settings |
Rate Limiting
API endpoints are rate-limited to prevent abuse:
| Category | Description |
|---|---|
| Standard | Per-user limits for regular operations |
| AI Operations | Stricter per-user limits for AI/LLM calls |
| Workflow Operations | Per-user limits for workflow management |
| Agent Operations | Per-user limits for agent executions |
| Public | Per-IP limits for unauthenticated endpoints |
Organization Roles
Organization-level access uses role-based access control:
| Role | Permissions |
|---|---|
| Owner | Full control including billing, deletion, and member management |
| Admin | Can manage members, settings, and all resources |
| Member | Can use agents, create documents, and access shared resources |
Roles are assigned when inviting members and can be changed by owners and admins.
Social OAuth Setup
To enable social sign-in providers, configure the following:
| Provider | Requirements |
|---|---|
| OAuth client ID and secret from Google Cloud Console | |
| GitHub | OAuth app credentials from GitHub Developer Settings |
| Microsoft | App registration from Azure Portal |
Account linking is enabled for Google and GitHub, allowing users to sign in with multiple providers and link them to a single account.
API Reference
The API automatically generates OpenAPI documentation for all authentication endpoints. Access the reference at:
GET /api/auth/referenceThis provides a complete reference of all available authentication endpoints, request/response schemas, and error codes.