Skip to main content

Identity Providers

Char AI uses an SSO-first approach to authenticate end users interacting with your embedded widget. Instead of managing separate credentials, your users authenticate through your existing identity provider (IDP) and access the AI widget seamlessly.

How It Works

1

User authenticates with your IDP

When a user accesses your application, they authenticate through your existing identity provider (Okta, Azure AD, Auth0, Google, or any OIDC provider).
2

Your app receives a JWT token

Your IDP issues a signed JWT token containing the user’s identity (sub claim) and other claims.
3

Widget validates the token

When initializing the Char AI widget, pass the user’s JWT token. Char validates the token against your IDP’s public keys (JWKS) and extracts the user identity.
4

Secure, seamless experience

The widget authenticates the user without additional login steps. Usage is tracked per-user based on their IDP identity.

Supported Identity Providers

Okta

Enterprise identity management with Okta Identity Cloud

Azure AD

Microsoft Entra ID (formerly Azure Active Directory)

Auth0

Flexible authentication platform by Okta

Google Workspace

Google Workspace and Google Cloud Identity

WorkOS

WorkOS User Management and AuthKit

Custom OIDC

Any OpenID Connect compliant provider

Security Model

Char AI’s SSO integration is built on security best practices:
FeatureImplementation
Token validationAsymmetric signature verification using IDP’s public keys (JWKS)
Issuer validationTokens must come from the configured IDP’s issuer URL
Audience validationTokens must include your configured client ID in the aud claim
No shared secretsOnly public key cryptography - no client secrets stored
Token handlingTokens are validated, claims extracted, then discarded - never persisted
Audience validation is critical. If your IDP is used by multiple applications, without audience validation an attacker could use a token from another app to access your Char widget. Always configure the Client ID (audience) in your Char dashboard.

Configuration Overview

Every IDP requires:
  1. Provider Type: Select your IDP (Okta, Azure AD, Auth0, Google, WorkOS, or Custom OIDC)
  2. Client ID: Your OIDC application’s client ID (used for audience validation)
  3. Domain/Issuer: Provider-specific identifier:
    • Okta: Your Okta domain (e.g., acme.okta.com)
    • Azure AD: Your tenant ID or domain
    • Auth0: Your Auth0 domain (e.g., acme.auth0.com)
    • Google: No additional configuration needed
    • WorkOS: Full issuer URL (requires manual aud claim configuration)
    • Custom OIDC: Full issuer URL
  4. Allowed Domains: Origins where your widget can be embedded

Widget Integration

Once your IDP is configured, initialize the widget with the user’s JWT token: 
import { CharWidget } from '@char-ai/widget';

CharWidget.init({
  siteId: 'your-site-id',
  userToken: currentUser.idToken, // JWT from your IDP
});
The widget automatically validates the token against your configured IDP and establishes the user session.
For detailed integration instructions, see the Embedding Widget guide.

Testing Your Configuration

The Char dashboard includes a Test Connection feature that verifies your IDP configuration by fetching the OIDC discovery document. This confirms:
  • The IDP is accessible
  • The discovery document is valid
  • The JWKS endpoint is available