Parascope supports two authentication methods: Single Sign-On (SSO) via OIDC for interactive users, and API tokens for programmatic access.

Single Sign-On (SSO)

When SSO is enabled, you can log in using your organization's identity provider (Okta, Azure AD, Google, and other OIDC-compatible providers).

Logging In

Navigate to Parascope
Click Sign in with SSO
Authenticate with your identity provider
You'll be redirected back to Parascope, now logged in

Your user account is created automatically on first login (Just-In-Time provisioning). The account inherits your name and email from the identity provider.

Session Management

Sessions are valid for 24 hours by default. Your session automatically refreshes when you're actively using Parascope. If your session expires, you'll be redirected to the login page.

To log out, click your user avatar in the top-right corner and select Sign out.

API Tokens

API tokens allow programmatic access to Parascope. Tokens inherit your permissions and data scopes, so they can only access what you can access.

Creating a Token

Click your user avatar and select API Tokens
Click Create Token
Enter a name and description
Select an expiration period
Click Create

Important: Copy your token immediately. It will only be shown once.

Using a Token

Include your token in the X-API-Key header:

curl -H "X-API-Key: ps_usr_your_token_here" \
  https://your-company.parascope.io/api/v1/configuration-items

Token Limits

Maximum 10 tokens per user
Maximum expiration: 1 year
Tokens can be revoked at any time

Revoking a Token

Click your user avatar and select API Tokens
Find the token you want to revoke
Click Revoke
Confirm the revocation

Revocation is immediate. Any requests using the revoked token will fail.

Permissions and Data Scopes

Your access to Parascope resources is controlled by:

Permissions: What actions you can perform (read, write, delete)
Data Scopes: Which data you can see (by source and instance)

How Permissions Work

Permissions are assigned either directly to you or through team membership. Your effective permissions are the union of:

Direct permissions assigned to your user
Permissions from all teams you belong to

For example, if Team A grants read on configuration items and Team B grants write, you'll have both read and write access.

How Data Scopes Work

Data scopes restrict which CIs you can see. Scopes are defined by:

Source: The data source (kubernetes, proxmox, ceph, etc.)
Scope ID: A specific cluster or instance within that source

Like permissions, your effective data scopes are the union of your direct scopes and team scopes.

Example scopes:

Source	Scope ID	Access
kubernetes	null	All Kubernetes data
kubernetes	prod-cluster	Only prod-cluster
proxmox	null	All Proxmox data
null	null	Full access (all sources)

Superadmin

Superadmin users bypass all permission and scope checks. They have full access to everything in Parascope.

Token Security Best Practices

Use descriptive names: Name tokens by their purpose (e.g., "GitHub Actions CI")
Set appropriate expiration: Use the shortest expiration that meets your needs
Rotate regularly: Create new tokens and revoke old ones periodically
Don't share tokens: Each person or system should have their own token
Use environment variables: Never hardcode tokens in scripts or code

# Good: Use environment variable
export PARASCOPE_TOKEN="ps_usr_..."
curl -H "X-API-Key: $PARASCOPE_TOKEN" ...

# Bad: Hardcoded token
curl -H "X-API-Key: ps_usr_abc123..." ...

Troubleshooting

"Authentication required" error

You're trying to access a protected resource without a valid session or token.

Browser: Log in via SSO
API: Include a valid X-API-Key header

The token may have expired
The token may have been revoked
Your user account may have been deactivated

Click your avatar and select API Tokens to check your token status.

Authentication