> ## Documentation Index
> Fetch the complete documentation index at: https://altostrat.io/docs/llms.txt
> Use this file to discover all available pages before exploring further.

# Workflow Authorizations

> Understand how workflow authorizations let SDX workflows perform actions on behalf of users.

Workflow authorizations let workflows and AI-assisted operations perform SDX actions on behalf of an authorized user. An authorization stores delegated access for a user in your organization, then workflows can reference it when they need to call protected SDX capabilities.

Use authorizations deliberately. They define whose access is being used when a workflow makes platform changes.

## Prerequisites

Before you create or assign an authorization, make sure you have:

* Permission to create workflows and workflow authorizations.
* A user account with the scopes needed by the workflow.
* A clear owner for the workflow.
* A review process for workflows that change network state.

## How Authorizations Work

```mermaid theme={null}
flowchart LR
  User["Authorized user"] --> Auth["Workflow authorization"]
  Auth --> Workflow["Workflow"]
  Workflow --> API["SDX action"]
  API --> Logs["Workflow runs and logs"]
```

An authorization records:

* The user identity.
* The email shown in the workflow authorizations table.
* The creation date.
* The workflows currently using the authorization.

Tokens are handled by the workflow service. If an access token expires, the service refreshes it with the stored refresh token when possible.

## Create An Authorization

<Steps>
  <Step title="Open authorizations">
    Go to **Automation**, open **Workflows**, then open **Authorizations**.
  </Step>

  <Step title="Add an authorization">
    Click **Add**. SDX creates an authorization URL for the login flow.
  </Step>

  <Step title="Complete the login flow">
    Sign in as the user whose access the workflow should use. The resulting authorization is stored for the organization.
  </Step>

  <Step title="Assign it to workflows">
    When creating or editing a workflow, select the authorization that matches the workflow's operational owner and permissions.
  </Step>
</Steps>

## Revoke An Authorization

You can revoke authorizations that are no longer needed. If workflows are still using an authorization, SDX shows the affected workflows and blocks deletion until you remove those dependencies or assign a different authorization.

Before revoking:

* Check how many workflows use the authorization.
* Replace it on active workflows.
* Test at least one workflow run with the replacement authorization.
* Revoke the old authorization after dependent workflows are updated.

## Authorization Versus Vault

| Use                                                              | Choose                                                            |
| ---------------------------------------------------------------- | ----------------------------------------------------------------- |
| A workflow needs to call SDX as a user                           | Workflow authorization                                            |
| A workflow needs an external API token, password, or signing key | Workflow vault                                                    |
| An inbound synchronous workflow needs JWT validation             | Authorizer configuration backed by JWKS or vault signing material |

## Best Practices

* Create authorizations for service-owned operator accounts when possible, not personal accounts that may leave the organization.
* Keep workflow permissions as narrow as your role model allows.
* Review authorizations during offboarding.
* Watch workflow logs after changing authorizations.
* Do not reuse a powerful authorization for unrelated workflows.