A team is a group of people who work together on infrastructure and share an authentication method (such as OAuth). The team is the top-level organizational concept in ScaleFT. All other configuration objects in ScaleFT are scoped to a team.

Team documentation

Identity Provider (IdP)

Every team has an Identity Provider (such as Okta, Active Directory, or LDAP) which users authenticate to using the team’s authentication method (such as OAuth). The IdP is the source of truth for that user’s identity and current access. Different Identity Providers support different authentication methods.

Authentication Method documentation


A user is a person who belongs to a team. Users can authorize clients to receive credentials. The permissions of a user in ScaleFT are determined by their group memberships.

Service User

A service user is an abstraction for services or software automation which can be granted specific authorizations in ScaleFT. Like users, service users belong to teams, and their permissions are determined by their group memberships. Service users can be used for automating actions against the ScaleFT API, or be granted credentials to servers.

Service User documentation


The ScaleFT client is installed on a device (such as a laptop or workstation) which a user uses to access infrastructure. The ScaleFT client manages the dynamic credentials on the device so the user can transparently access ScaleFT-managed infrastructure.

Client Enrollment documentation


Groups are used to grant permissions to users within ScaleFT, and can be linked to projects to grant permissions within that project.

Group documentation


A project is a collection of resources (such as servers, load-balancers, web services, or VPNs) that share configurations and associated user group permissions.

Project documentation

Dynamic Credentials

ScaleFT projects operate Certificate Authorities to issue short-lived certificates, which are managed transparently on the user’s device by the ScaleFT client.

Each of these certificates contains the following information:

  1. The ScaleFT project for which the certificate was issued
  2. The username to be used on the server of the ScaleFT user to whom the certificate was issued
  3. The time at which the certificate expires

Since ScaleFT credentials are short-lived, and scoped to a project, even if a credential is compromised by an attacker, the attacker has a very limited window of time to use the certificate before it expires, and it is only of use against resources in that project.