> ## Documentation Index
> Fetch the complete documentation index at: https://docs.cloudthinker.io/llms.txt
> Use this file to discover all available pages before exploring further.

# Security & Authentication

> Secure access to CloudThinker with MFA, SSO, and role-based access control

CloudThinker implements enterprise-grade security to protect your cloud infrastructure data and ensure only authorized users can access sensitive operations.

***

## Why Security Matters for an AI Operations Platform

CloudThinker agents have read (and optionally write) access to your cloud infrastructure. This is powerful — it enables autonomous analysis and optimization across all your cloud accounts. But it also means the platform itself needs to be hardened against unauthorized access, credential leakage, and prompt injection attacks.

The security model is designed around these principles:

* **Least-privilege by default**: agents use read-only credentials unless write access is explicitly configured and approved
* **Zero persistence**: no agent actions modify infrastructure without going through the [approval workflow](/guide/approval)
* **Defense-in-depth**: MFA, SSO, RBAC, audit logging, and sandbox isolation combine to protect against both external attacks and internal misuse
* **Transparent**: every agent action is logged with the user who initiated it, the approval chain, and the exact command executed

## Authentication Methods

<CardGroup cols={2}>
  <Card title="Email & Password" icon="envelope">
    Standard authentication with secure password requirements
  </Card>

  <Card title="Multi-Factor Authentication" icon="mobile-screen">
    TOTP-based MFA for additional security
  </Card>

  <Card title="Single Sign-On (SSO)" icon="key">
    SAML/OIDC integration with your identity provider
  </Card>

  <Card title="API Keys" icon="code">
    Secure programmatic access to the API
  </Card>
</CardGroup>

***

## Multi-Factor Authentication (MFA)

Add an extra layer of security with TOTP-based MFA:

### Enabling MFA

<Steps>
  <Step title="Navigate to Security Settings">
    Go to **Profile > Security Settings**
  </Step>

  <Step title="Enable MFA">
    Click **Enable Multi-Factor Authentication**
  </Step>

  <Step title="Scan QR Code">
    Use an authenticator app (Google Authenticator, Authy, 1Password, etc.) to scan the QR code
  </Step>

  <Step title="Verify Setup">
    Enter the 6-digit code from your authenticator to confirm setup
  </Step>

  <Step title="Save Backup Codes">
    Download and securely store your backup codes for account recovery
  </Step>
</Steps>

### MFA at Login

With MFA enabled:

1. Enter your email and password
2. Enter the current 6-digit code from your authenticator
3. Access granted

### Recovery Options

If you lose access to your authenticator:

* Use a backup code (one-time use)
* Contact organization admin for MFA reset
* Contact support with identity verification

<Warning>
  Store backup codes securely. Each code can only be used once. If you lose all backup codes and your authenticator, account recovery may require identity verification.
</Warning>

***

## Single Sign-On (SSO)

Enterprise plans support [SSO](/guide/security/sso) integration:

SSO is configured by Organization Owners in **Admin Settings → Identity and access**. Key capabilities:

* **Domain verification** — prove ownership of your email domain before enabling SSO
* **SAML or OIDC** — choose the protocol your identity provider supports
* **SSO enforcement** — optionally require all users with a verified domain to authenticate via SSO
* **JIT provisioning** — auto-create user accounts on first SSO login
* **SCIM directory sync** — automate user and group provisioning from your IdP

### Configuring SSO

<Card title="SSO Setup Guide" icon="key" href="/guide/security/sso">
  Step-by-step setup for Google Workspace, Azure AD, AWS IAM Identity Center, Okta, OneLogin, and generic SAML/OIDC
</Card>

### SSO Enforcement

Organization admins can enforce SSO:

* Require all users to authenticate via SSO
* Disable password-based login
* Auto-provision users on first SSO login
* Auto-deprovision when removed from IdP

***

## Role-Based Access Control (RBAC)

Control what users can do with granular permissions:

### Organization Roles

| Role       | Description                 | Permissions                                       |
| ---------- | --------------------------- | ------------------------------------------------- |
| **Owner**  | Full organization control   | All permissions, billing, member management       |
| **Admin**  | Organization administration | Manage workspaces, members, settings (no billing) |
| **Member** | Standard access             | Access assigned workspaces, use agents            |
| **Viewer** | Read-only access            | View dashboards and reports only                  |

### Workspace Roles

| Role                | Description            | Permissions                                         |
| ------------------- | ---------------------- | --------------------------------------------------- |
| **Workspace Admin** | Full workspace control | All workspace operations, member management         |
| **Editor**          | Standard operations    | Run agents, create recommendations, modify settings |
| **Operator**        | Limited operations     | Run agents, view data, cannot modify settings       |
| **Viewer**          | Read-only              | View dashboards, reports, and recommendations       |

### Permission Matrix

| Action                  | Owner | Admin | Editor | Operator | Viewer |
| ----------------------- | ----- | ----- | ------ | -------- | ------ |
| View dashboards         | Yes   | Yes   | Yes    | Yes      | Yes    |
| Run agent conversations | Yes   | Yes   | Yes    | Yes      | No     |
| Create recommendations  | Yes   | Yes   | Yes    | No       | No     |
| Approve operations      | Yes   | Yes   | Yes    | No       | No     |
| Manage connections      | Yes   | Yes   | Yes    | No       | No     |
| Manage members          | Yes   | Yes   | No     | No       | No     |
| Organization settings   | Yes   | Yes   | No     | No       | No     |
| Billing                 | Yes   | No    | No     | No       | No     |

***

## API Authentication

Secure programmatic access to CloudThinker:

### API Keys

Generate API keys for automation:

1. Go to **Profile > API Keys**
2. Click **Create API Key**
3. Name the key and set expiration
4. Copy the key (shown only once)
5. Use in API requests

```bash theme={null}
# Example API request
curl -H "Authorization: Bearer <api_key>" \
  https://api.cloudthinker.io/v1/workspaces
```

### Key Management

* **Rotation**: Regularly rotate keys (recommended: every 90 days)
* **Scoping**: Limit keys to specific operations when possible
* **Monitoring**: Review key usage in audit logs
* **Revocation**: Immediately revoke compromised keys

<Warning>
  Never commit API keys to version control. Use environment variables or secret management tools.
</Warning>

### OAuth Tokens

For integrations that use OAuth:

* Tokens are automatically refreshed
* Revoke access from **Settings > Connected Apps**
* Monitor token usage in audit logs

***

## Data Security

### Encryption

CloudThinker protects your data with:

| Layer       | Protection                   |
| ----------- | ---------------------------- |
| **Transit** | TLS 1.3 for all connections  |
| **At Rest** | AES-256 encryption           |
| **Secrets** | Encrypted credential storage |
| **Backups** | Encrypted database backups   |

### [Bring Your Own Key (BYOK)](/guide/byok)

Enterprise customers can use their own encryption keys:

1. Configure AWS KMS or similar
2. Provide key ARN to CloudThinker
3. Your key encrypts sensitive data
4. Maintain full key control

<Card title="Configure BYOK" icon="key" href="/guide/byok">
  Set up Bring Your Own Key encryption
</Card>

### Data Residency

* Choose data region during workspace creation
* Data stays within selected region
* Multi-region options for redundancy

***

## Audit Logging

Track all activities in CloudThinker:

### Logged Events

* User authentication (login, logout, MFA)
* Resource access and modifications
* Agent conversations and actions
* Administrative changes
* API access

### Viewing Audit Logs

1. Navigate to **Admin Settings > Organization**
2. Filter by:
   * User
   * Action type
   * Resource
   * Date range
3. Export logs for compliance

### Log Retention

* Standard: 90 days
* Professional: 1 year
* Enterprise: Configurable (up to 7 years)

***

## Security Best Practices

<AccordionGroup>
  <Accordion title="Enable MFA for All Users">
    Require MFA for all organization members, especially those with admin access. Consider enforcing via [SSO](/guide/security/sso) policies.
  </Accordion>

  <Accordion title="Use Least Privilege">
    Assign the minimum role required for each user's responsibilities. Review and adjust permissions regularly.
  </Accordion>

  <Accordion title="Rotate Credentials Regularly">
    Rotate API keys, refresh tokens, and cloud credentials on a regular schedule.
  </Accordion>

  <Accordion title="Monitor Audit Logs">
    Regularly review audit logs for suspicious activity. Set up alerts for critical events.
  </Accordion>

  <Accordion title="Secure Cloud Connections">
    Use read-only credentials when possible. Limit scope to necessary services and regions.
  </Accordion>

  <Accordion title="Review Access Periodically">
    Conduct quarterly access reviews. Remove inactive users and revoke unnecessary permissions.
  </Accordion>
</AccordionGroup>

***

## Compliance

CloudThinker maintains compliance with:

* **SOC 2 Type II**: Security, availability, and confidentiality
* **GDPR**: Data protection for EU users
* **HIPAA**: Healthcare data handling (Enterprise)
* **ISO 27001**: Information security management

<Card title="Request Compliance Documents" icon="file-certificate" href="mailto:security@cloudthinker.io">
  Contact us for security questionnaires and compliance documentation
</Card>