Authentication
Inspire uses different authentication methods depending on the context.
Web Application
The Inspire web application uses session-based authentication:
- User logs in with email and password
- A secure session cookie is set
- All subsequent requests include the cookie automatically
- Sessions expire after 24 hours of inactivity
API Authentication
Ingest Keys
The Data Ingest API and webhook ingestion use ingest keys:
Authorization: Bearer ik_<key_id>_<secret>- Prefixed with
ik_for identification - Connector-scoped
- Public
key_idplus secret format for fast lookup and simple rotation - Created and managed in Data Sources
- Can be rotated without reconfiguring the connector
Legacy Optymyse Connector Keys
The Legacy Optymyse Connector API uses the legacy Optymyse key model:
X-API-Key: your-api-key- Managed in Settings > API Keys
- Existing legacy keys continue to work
- Scoped to the tenant level
Key Management Best Practices
| Practice | Why |
|---|---|
| Use separate keys per integration | Isolates access — revoking one key does not break others |
| Rotate keys periodically | Limits exposure if a key is compromised |
| Never commit keys to version control | Use environment variables instead |
| Use the minimum scope needed | Ingest keys are scoped to a single connector |
| Monitor key usage | Check connector logs for unexpected activity |
If you suspect a key has been compromised, rotate it immediately in the Inspire settings. The old key is invalidated instantly.
Single Sign-On (SSO)
Inspire supports external identity providers via SAML 2.0 and OpenID Connect. SSO is an Enterprise-tier feature.
SAML 2.0
Configure your SAML identity provider in Settings > SSO & Authentication > SSO Providers:
| Setting | Description |
|---|---|
| Entity ID | The SAML issuer / entity ID of your identity provider |
| Metadata URL | URL to your IdP’s SAML metadata XML |
| Certificate | X.509 signing certificate in PEM format |
OpenID Connect (OIDC)
Configure your OIDC provider (e.g. Azure AD, Okta, Auth0):
| Setting | Description |
|---|---|
| Authority URL | The OIDC discovery endpoint (e.g. https://login.microsoftonline.com/{tenant}/v2.0) |
| Client ID | Application / client ID registered with the provider |
| Client Secret | Client secret for the application |
SSO providers require careful configuration. Test with a small group of users before enabling organisation-wide.
Multi-Factor Authentication (MFA)
TOTP-based multi-factor authentication is available on Professional and Enterprise tiers.
Admin Setup
- Navigate to Settings > SSO & Authentication > Multi-Factor Auth
- Enable MFA for the tenant
- Optionally require MFA for all users
User Setup
Once MFA is enabled by an admin, users can set it up from their Account page:
- Click Enable MFA
- Scan the QR code with an authenticator app (Google Authenticator, Authy, 1Password, etc.)
- Enter the 6-digit verification code
- MFA is now active on the account
To disable MFA, users must verify with a current code from their authenticator app.
When MFA is required at the tenant level, all users must complete MFA setup before they can access the application.