The Thunk.AI platform uses OAuth 2.0/OIDC-based single-sign-on to authenticate user accounts.
In the public multi-tenant instance of the service, the two signon providers supported are Google and Microsoft. If the user's business email is provided by either Google Workspace or Microsoft 365 and the company's admin allows single-sign-on authentication for third-party applications like Thunk.AI, then single-sign-on will work seamlessly.
In a private instance, any suitable OIDC-compatible identity provider can be used for authorization.
This same identity is associated with the user when the AI agent takes any actions acting on the user’s behalf.
All API calls made to Thunk.AI and all agent activity happen in the context of one "thunk" which is a specific workflow application. The thunk definition includes role-based access control. Users of a thunk are listed (via a whitelist) in one of four roles:
Owner: a thunk has a single Owner. All AI agents in the thunk run with the identity of the owner.
Admins: Owners and Admins can add other users to the thunk, modify the access control definition, and modify AI instructions.
Human Agents: they are assigned steps within individual workflow runs. The role of a human agent user is to be a "human-in-the-loop" approver and troubleshooter for the work done by AI agents. Human agents can approve or override the decisions made by AI agents.
End-Users: they can submit new workflow requests via an authenticated API. If the owner of thunk A is at least an end-user of thunk B, then thunk A can make cross-thunk requests to workflows in thunk B.
Owners are implicitly also Admins. Admins and Owners are implicitly also Human Agents, and members of all roles are implicitly also End-Users.
In many thunks, especially those that are fully automated, the only user is the thunk Owner who plays all roles.