Prerequisites
Before you create or assign an authorization, make sure you have:- Permission to create workflows and workflow authorizations.
- A user account with the scopes needed by the workflow.
- A clear owner for the workflow.
- A review process for workflows that change network state.
How Authorizations Work
An authorization records:- The user identity.
- The email shown in the workflow authorizations table.
- The creation date.
- The workflows currently using the authorization.
Create An Authorization
Complete the login flow
Sign in as the user whose access the workflow should use. The resulting authorization is stored for the organization.
Revoke An Authorization
You can revoke authorizations that are no longer needed. If workflows are still using an authorization, SDX shows the affected workflows and blocks deletion until you remove those dependencies or assign a different authorization. Before revoking:- Check how many workflows use the authorization.
- Replace it on active workflows.
- Test at least one workflow run with the replacement authorization.
- Revoke the old authorization after dependent workflows are updated.
Authorization Versus Vault
| Use | Choose |
|---|---|
| A workflow needs to call SDX as a user | Workflow authorization |
| A workflow needs an external API token, password, or signing key | Workflow vault |
| An inbound synchronous workflow needs JWT validation | Authorizer configuration backed by JWKS or vault signing material |
Best Practices
- Create authorizations for service-owned operator accounts when possible, not personal accounts that may leave the organization.
- Keep workflow permissions as narrow as your role model allows.
- Review authorizations during offboarding.
- Watch workflow logs after changing authorizations.
- Do not reuse a powerful authorization for unrelated workflows.