Skip to main content
Enterprise Feature — End user management is available on superglue Enterprise plans. Contact us to learn more.
End users allow your application’s users to connect their own credentials for systems like Salesforce, HubSpot, or Google Workspace. Instead of using shared organization credentials, each user authenticates with their own account—essential for building personalized AI assistants and multi-tenant applications.

How it works

1

Enable multi-tenancy on a system

Toggle “Multi-tenancy Mode” when configuring a system’s authentication
2

Create end users

Register your application’s users via the dashboard or API
3

Users authenticate via portal

Send users to the Connection Portal where they connect their accounts
4

Tools use user credentials

When executing tools, superglue automatically uses the authenticated user’s credentials

Enabling multi-tenancy on a system

When creating or editing a system, enable multi-tenancy mode in the Authentication section:
  1. Navigate to Systems and select your system
  2. In the Authentication tab, toggle Multi-tenancy Mode
  3. Configure the OAuth settings (client ID, client secret, scopes) - these will be used as the template for end-user authentication
  4. Save the system
System multi-tenancy configuration
When multi-tenancy is enabled, end users authenticate via the portal using your OAuth configuration. The system acts as a template—each user gets their own tokens.

Managing end users

Creating end users in the dashboard

The easiest way to manage end users is through the Organization page:
  1. Navigate to Control Panel → Organization
  2. In the End Users section, click New End User
  3. Enter the user’s name and email
  4. Configure which systems they can access (all systems or specific ones)
  5. Click Create or Create & Add Another to add multiple users quickly
Organization page showing team members and end users
The Organization page shows:
  • Team Members: Admins and members who can access the superglue dashboard
  • End Users: External users who authenticate via the portal to use your tools

Creating end users via API

For programmatic user management, use the REST API: 
curl -X POST https://api.superglue.cloud/v1/end-users \
  -H "Authorization: Bearer $SUPERGLUE_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "externalId": "user-123",
    "email": "[email protected]",
    "name": "John Doe",
    "allowedSystems": ["*"]
  }'
FieldRequiredDescription
externalIdNoYour application’s user ID (auto-generated if not provided)
emailNoUser’s email address
nameNoUser’s display name
allowedSystemsNoArray of system IDs, or ["*"] for all systems

Controlling system access

You can restrict which systems each end user can access:
  • All systems (["*"]): User can connect to any multi-tenancy system
  • Specific systems: User can only connect to the listed system IDs
This is useful when different user tiers have access to different integrations.

The Connection Portal

The Connection Portal is where end users authenticate with external services. It provides a simple, branded experience for connecting accounts.
Connection Portal showing available systems

Portal features

  • Shows all systems the user is allowed to access
  • Displays connection status for each system
  • One-click OAuth flow to connect accounts
  • Users can disconnect and reconnect at any time
Generate a portal link to send to a user: Via the dashboard:
  1. Go to Control Panel → Organization
  2. Find the end user and click the portal icon
  3. The portal opens in a new tab (or copy the URL to share)
Via API: 
curl -X POST https://api.superglue.cloud/v1/end-users/{endUserId}/portal-token \
  -H "Authorization: Bearer $SUPERGLUE_API_KEY"
Response: 
{
  "success": true,
  "data": {
    "portalUrl": "https://app.superglue.cloud/portal?token=xxx",
    "expiresAt": "2024-01-15T12:00:00Z"
  }
}
Portal tokens expire after 24 hours. Generate new tokens as needed.

Authentication via MCP

When using superglue with AI agents via MCP, end users can authenticate directly through the agent conversation.
  1. The agent attempts to use a tool that requires authentication
  2. superglue returns an authentication URL
  3. The agent presents the link to the user
  4. User clicks the link, completes OAuth, and returns to the conversation
  5. The agent retries the tool—now with valid credentials

End-user API keys

To execute tools on behalf of a specific end user, create an API key linked to that user:
  1. Navigate to Control Panel → API Keys
  2. Click New End User Key
  3. Select the end user to link
  4. Configure allowed tools (optional)
When this key is used:
  • All tool executions use the linked end user’s credentials
  • Access is scoped to the user’s allowed systems
  • All activity is logged with the end user ID

Enterprise identity providers

For organizations using enterprise identity providers, superglue can integrate with:
  • Microsoft Entra ID (Azure AD)
  • Okta
  • Auth0
  • Google Workspace
  • Custom SAML/OIDC providers
This allows your users to authenticate with their existing corporate credentials, with automatic user provisioning and group-based access control.
Enterprise identity provider integration requires custom configuration. Contact us to discuss your requirements.

Security

Credential isolation

Each user’s credentials are encrypted and isolated. Users can only access their own data.

Token expiration

Portal tokens expire after 24 hours. OAuth tokens are automatically refreshed.

Revocation

Users can disconnect systems at any time via the portal. Admins can view status in the dashboard.

Audit trail

All tool executions are logged with the end user ID for compliance and debugging.

API reference

EndpointMethodDescription
/v1/end-usersGETList all end users
/v1/end-usersPOSTCreate or update an end user
/v1/end-users/{id}GETGet end user details
/v1/end-users/{id}DELETEDelete an end user and their credentials
/v1/end-users/{id}/portal-tokenPOSTGenerate portal link