Concepts
Admin Portal
The WorkOS-killer flow: your customer's IT admin self-serves SSO setup via a one-time link.
The Admin Portal is what makes enterprise sales actually fast. Your customer’s IT admin clicks a link from your product, picks their IdP from a list, pastes metadata, and SSO is live. You don’t mediate. Your dev team doesn’t mediate. We don’t mediate. It’s a 30-second flow.
The dance
Customer's product backend Authio
───────────────────────────── ──────────────────
1. Customer admin clicks "Set up SSO" in your UI
2. Your backend calls Authio mgmt API:
POST /v1/sso/admin-portal/tokens
{ project_id, organization_id }
3. Authio mints
one-time token
+ URL, returns
plaintext once.
4. You email the URL to the IT admin.
↓
IT admin clicks
↓
5. Authio renders the setup form
(provider picker + metadata box)
6. Admin pastes IdP metadata, clicks Save
7. Token is consumed atomically
8. sso_connections row written
with status=active
9. Authio fires a webhook back to your product:
sso.connection.created
↓
SSO is live for this organization.Properties you should know about
- One-time. A token consumed once cannot be reused. The next request returns
410 token_consumed. - Time-bound. 24-hour TTL by default; configurable per-mint.
- Scoped. A token only configures the
organization_idit was minted for. There’s no way for the IT admin to influence other organizations. - Auditable. Every mint, render, and save is captured in
audit_events. The IT admin’s email is recorded on the resulting connection row.
You can preview the full round-trip against the live alpha service. Mint a token via the Management API then visit the returned URL with no special setup — the form will render for any unconsumed token.
Supported providers
SAML: Okta, Microsoft Entra ID, Google Workspace, Ping, OneLogin, JumpCloud, ADFS, Rippling, generic SAML 2.0. OIDC: Auth0, Keycloak, generic OIDC. Each provider entry in the form drops the admin into a tailored set of fields (e.g. Entra wants a Tenant ID, Okta wants the metadata XML).