> ## Documentation Index
> Fetch the complete documentation index at: https://docs.nebuly.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Authentication

> How users sign in to Nebuly and how services authenticate when sending data.

## Overview

Nebuly uses two distinct authentication mechanisms depending on the type of access.

**End-user authentication** is handled through your enterprise identity provider (Google, Microsoft, Okta) or built-in basic authentication. Users log into the Nebuly UI via SSO or basic authentication.

**Ingestion authentication** uses API keys. Any service sending data (interactions, traces) to Nebuly must include a project API key in every request:

```http theme={null}
Authorization: Bearer <api-key>
```

API keys are scoped to a project and can be created under **Settings → Project → API keys**.

Once users can sign in, you control what they can see and do through roles and project access. See [Permissions and user management](/guides/permissions-and-user-management) for roles, inviting members, and assigning project access.

## Default admin user on first startup

On first startup, you should create an initial admin user through the Helm values under `auth`.

```yaml theme={null}
auth:
  adminUserEnabled: true
  # -- The username of the initial admin user.
  adminUserUsername: "admin@nebuly.ai"
  # -- The password of the initial admin user.
  adminUserPassword: "securePassword"
```

Use a strong password that follows your organization's security standards (minimum length, mixed character types, and no reused credentials).

The initial admin user is intended for bootstrap access: use it to create additional users and assign roles (see [Permissions and user management](/guides/permissions-and-user-management)), then disable it if your security policy requires removing the default admin account after setup.

## Configuring SSO for self-hosted deployments

SSO is configured at the infrastructure level via the Nebuly Terraform module. Pass your identity provider credentials as a module input and Terraform will automatically inject them into the generated Helm values.

Supported providers: `google`, `microsoft`, `okta`.

```hcl theme={null}
module "platform" {
  source = "nebuly-ai/nebuly-platform/azurerm" # or /aws, /google

  google_sso = {
    client_id     = "<your-client-id>"
    client_secret = "<your-client-secret>"
  }
}
```

After `terraform apply`, re-run `terraform output helm_values` to pick up the updated values before upgrading the Helm chart.

Terraform module references:
[AWS](https://registry.terraform.io/modules/nebuly-ai/nebuly-platform/aws/latest) ·
[Azure](https://registry.terraform.io/modules/nebuly-ai/nebuly-platform/azurerm/latest) ·
[GCP](https://registry.terraform.io/modules/nebuly-ai/nebuly-platform/google/latest)

<Note>
  If you do not use SSO, you can add members manually from the invite flow in **Settings → Members**. See [Adding members manually](/guides/permissions-and-user-management#adding-members-manually).
</Note>
