Browse docs
--- title: "Identity and Tenants" description: "Use tenants, managed API keys, users, roles, and permissions to operate Aurora safely across teams." icon: "users-round" ---
Overview
Aurora includes administrative identity surfaces for multi-team operation:
- tenants
- users
- roles and permissions
- OIDC SSO
Use these features when one gateway serves multiple teams, environments, customers, or services.
Configure Enterprise identity
edition:
name: enterprise
identity:
enabled: true
jwt_secret: "${IDENTITY_JWT_SECRET}"
admin_email: "<initial admin email>"
admin_password: "${IDENTITY_ADMIN_PASSWORD}"After startup, open /admin/dashboard, sign in with the seeded admin user, and create tenants, users, roles, and API keys from the Identity and Tenants pages.
Tenants
Tenants provide an administrative grouping layer. Use them to separate ownership, visibility, and operational responsibility in dashboard workflows.
Tenant-aware admin pages preserve the current tenant scope when viewing models, usage, budgets, keys, and policy surfaces.
Manual tenant administration is available in the dashboard at Tenants.
For endpoint reference see the Admin API section.
Example:
curl -X POST http://your-aurora-host/admin/api/v1/tenants \
-H "Authorization: Bearer $AURORA_MASTER_KEY" \
-H "Content-Type: application/json" \
-d '{
"id": "team-alpha",
"name": "Team Alpha"
}'Managed API keys
Managed API keys let operators issue gateway credentials without sharing upstream provider secrets. A key can carry metadata such as a name, status, permissions, and user_path.
Requests authenticated with a managed key use the key-bound path for scoped features such as budgets, model access, workflows, usage, and audit logs.
For full managed-key fields and API examples, see Managed API Keys.
Manual key administration is available in the dashboard at Auth Keys.
For endpoint reference see the Admin API section.
Example:
curl -X POST http://your-aurora-host/admin/api/v1/auth-keys \
-H "Authorization: Bearer $AURORA_MASTER_KEY" \
-H "Content-Type: application/json" \
-d '{
"name": "team-alpha-service",
"tenant_id": "team-alpha",
"user_path": "/team/alpha/service",
"allowed_providers": ["openai-primary"],
"rate_limits": {
"requests_per_minute": 60,
"tokens_per_day": 1000000
}
}'The API returns the secret value when the key is issued. Store it in your secret manager at creation time; do not expect to read the raw key later from list endpoints.
Users and roles
Dashboard users can be assigned roles that determine which admin resources they can access. Aurora uses these permissions to protect sensitive pages such as models, budgets, tenants, keys, guardrails, workflows, audit logs, and enterprise settings.
For user lifecycle endpoints, see Users. For RBAC role and permission endpoints, see Roles and Permissions.
Enterprise capabilities
Enterprise builds can require a signed license and can gate advanced dashboard features. Keep license keys and signing keys outside source control and pass them through environment variables or deployment secrets.
For launch artifact details, see Editions.