Skip to main content

Overview

Nebuly uses two distinct authentication mechanisms depending on the type of access. End-user authentication is handled through your enterprise identity provider (Google, Microsoft, Okta) or built-in basic authentication. Users log into the Nebuly UI via SSO or basic authentication. Ingestion authentication uses API keys. Any service sending data (interactions, traces) to Nebuly must include a project API key in every request:
Authorization: Bearer <api-key>
API keys are scoped to a project and can be created under Settings → Project → API keys. Once users can sign in, you control what they can see and do through roles and project access. See Permissions and user management for roles, inviting members, and assigning project access.

Default admin user on first startup

On first startup, you should create an initial admin user through the Helm values under auth.
auth:
  adminUserEnabled: true
  # -- The username of the initial admin user.
  adminUserUsername: "admin@nebuly.ai"
  # -- The password of the initial admin user.
  adminUserPassword: "securePassword"
Use a strong password that follows your organization’s security standards (minimum length, mixed character types, and no reused credentials). The initial admin user is intended for bootstrap access: use it to create additional users and assign roles (see Permissions and user management), then disable it if your security policy requires removing the default admin account after setup.

Configuring SSO for self-hosted deployments

SSO is configured at the infrastructure level via the Nebuly Terraform module. Pass your identity provider credentials as a module input and Terraform will automatically inject them into the generated Helm values. Supported providers: google, microsoft, okta.
module "platform" {
  source = "nebuly-ai/nebuly-platform/azurerm" # or /aws, /google

  google_sso = {
    client_id     = "<your-client-id>"
    client_secret = "<your-client-secret>"
  }
}
After terraform apply, re-run terraform output helm_values to pick up the updated values before upgrading the Helm chart. Terraform module references: AWS · Azure · GCP
If you do not use SSO, you can add members manually from the invite flow in Settings → Members. See Adding members manually.