Authentication & access
Sign in, orgs, SSO
Access to Nexma is organized around your organization. You sign in as a member, your role decides what you can do, and enterprise teams federate identity through their own provider. This page covers signing in, members and roles, single sign-on, and programmatic access.
Core concepts
Everything in Nexma belongs to an organization, not to a personal account. You sign in as a member of one or more organizations; within each, your role grants a set of permissions; and projects, Skills, and data sources are all scoped to the org. For machine access, you mint API keys that act with a defined scope.
| Concept | What it controls |
|---|---|
| Organization | The boundary for members, projects, Skills, and data |
| Member | A person with access to an organization |
| Role | The permission set a member holds in the org |
| API key | A scoped token for programmatic access |
Signing in
Sign in with your organization account, then select the organization you want to work in if you belong to more than one. Once inside, you see the projects and Skill libraries that org owns and that your role allows. Switching organizations changes the entire context — projects, members, and data — so a project never leaks across org boundaries.
See Authentication and access flows alongside Projects and resources.
Organizations, members, and roles
An organization groups the people and assets that work together. Administrators invite members, assign roles, and manage the org's Skill library and data connections.
- Members are the people in the org. A person can belong to several organizations and switch between them.
- Roles define what a member can do — from read-only viewing through design and editing up to administration. Roles govern who can create projects, edit the world model, connect data sources, and manage other members.
- Attribution is built in. Every change to a project records its author and timestamp, so access control and the audit trail reinforce each other.
For the full permission matrix, see Permissions reference.
Enterprise SSO and SAML
For enterprise teams, Nexma federates identity through your existing provider. Single sign-on lets members authenticate with corporate credentials, and SAML-based federation maps your directory groups onto Nexma roles, so access stays governed by the systems you already run. Provisioning and de-provisioning follow your identity source, which keeps membership accurate as people join and leave.
Centralizing identity in your provider means an off-boarded employee loses Nexma access the moment they lose their corporate account — no separate cleanup step.
API keys and tokens
Programmatic access uses scoped tokens. Mint an API key, bind it to an organization and a permission scope, and use it to drive Nexma from scripts, CI, or external systems through the API. Treat keys as secrets: store them outside source control, rotate them on a schedule, and revoke any key that may have been exposed. Because tokens carry a scope, a leaked read-only key cannot be used to modify projects.
See API reference.
Where to go next
- See the full permission matrix in Permissions reference.
- Understand isolation and audit in Security.
- Learn how access maps onto work in Projects and resources.
- Automate against the platform with the API reference.