Identity & authentication
Syncanix uses your existing identity provider — it never becomes your users' password store.
Syncanix doesn’t manage your users' passwords. It relies on the identity provider you already use, so the people who chat with your assistant are exactly who your own systems say they are, with exactly the permissions they already have.
Federation to your identity provider
Sign-in is federated: Syncanix hands authentication to your identity provider and trusts the result. Supported providers include:
- Auth0
- Clerk
- Amazon Cognito
- WorkOS
- Your own OpenID Connect provider
Two kinds of sign-in
Keep two sign-ins distinct. Your team signs in to the dashboard to configure the workspace. Your end users authenticate through your identity provider when they use the widget or connect an MCP client — Syncanix never holds their credentials.
Acting on behalf of the user
When the assistant takes an action, it acts as the signed-in end user, with their identity and permissions — never an elevated or shared account. You can optionally require a one-time, explicit consent the first time a user lets the assistant act on their behalf.
Step-up for sensitive actions
For sensitive actions you can require step-up authentication: before the action runs, the user re-confirms their identity through your provider — for example with multi-factor authentication, a passkey, or re-entering their password.
Identity for MCP clients
MCP clients like Claude Desktop authenticate with OAuth 2.1 and PKCE, federated to your identity provider, and receive short-lived tokens scoped to the workspace. The same identity and permissions apply there as in the widget — the assistant never holds a long-lived credential.