Workspace Settings
The Settings page (/settings) centralizes workspace-level controls for authentication, device policy, model governance, alerts, and exports.
Authentication and access
OAuth providers
Enable or disable OAuth sign-in methods:
- Google — recommended for teams using Google Workspace
- Apple — available for Apple Business accounts
Each provider requires a client ID and secret. Configure these in Settings > Authentication > OAuth Providers.
Passkeys (WebAuthn)
Enable passwordless login via hardware security keys, Touch ID, or Face ID. When enabled, users can register a passkey from their profile page.
Enterprise SSO/SAML
For organizations requiring centralized identity management:
- Navigate to Settings > Authentication > SSO.
- Enter your IdP metadata URL (Okta, Azure AD, OneLogin, etc.).
- Map IdP attributes to Octomil roles.
- Enable "Require SSO" to enforce SSO for all users (disables password login).
SSO users are auto-provisioned on first login. Role mapping follows IdP group assignments.
Training and device policy
Control how and when devices participate in training:
| Setting | Options | Default |
|---|---|---|
| Training mode | federated, local_only | federated |
| Min battery level | 0--100% | 20% |
| Network requirement | any, wifi_only, unmetered | wifi_only |
| Training window | Time range (UTC) | Always |
| Max training duration | Seconds | 300 |
| Sample rate | 0.0--1.0 | 1.0 |
Example: For a mobile health app, set wifi_only + 30% battery minimum + nighttime training window (00:00--06:00 UTC) to minimize user impact.
Security and sessions
MFA enforcement
Enable MFA for specific roles:
- Admin MFA required — all admin users must set up TOTP or WebAuthn
- All users MFA required — every user must configure a second factor
IP allowlist
Restrict API access to specific IP ranges. Useful for enterprise environments with corporate VPNs.
203.0.113.0/24
198.51.100.0/24
Devices (using device tokens) are exempt from IP allowlists.
Session policy
| Setting | Description | Default |
|---|---|---|
| Session duration | Max time before re-authentication | 24 hours |
| Idle timeout | Time before inactive sessions expire | 1 hour |
| Concurrent sessions | Max active sessions per user | 5 |
Governance and retention
Production protection
Enable safeguards for production model deployments:
- Require approval — model version publishing requires admin approval
- Auto-rollback threshold — automatically roll back a deployment if error rate exceeds a threshold (e.g., 5% failure rate)
- Production lock — prevent model changes during critical periods
Audit retention
Configure how long audit events are retained:
| Preset | Retention | Compliance mapping |
|---|---|---|
| Standard | 90 days | General operations |
| Extended | 1 year | SOC 2 |
| HIPAA | 6 years | HIPAA 164.530(j) |
| Custom | User-defined | — |
See Logs and Audit Trail for details on audit event structure and export.
Integrations and alerts
Slack integration
Connect a Slack workspace to receive alerts:
- Navigate to Settings > Integrations > Slack.
- Click Connect Slack and authorize the Octomil bot.
- Select a default channel for alerts.
Alert types you can route to Slack:
- Training round failures
- Deployment rollback events
- Device health warnings
- Privacy budget exhaustion
Email notifications
Configure email recipients for critical alerts. Uses the workspace email domain by default.
Webhook / SIEM
Send events to external systems via webhook:
Endpoint: https://your-siem.example.com/api/events
Headers: Authorization: Bearer <your-token>
Format: JSON (one event per request)
Events are sent in near-real-time with at-least-once delivery. Each event includes a unique event_id for deduplication.
Metrics export
Configure export destinations for inference and training metrics:
- Prometheus — expose a
/metricsendpoint for scraping - Datadog — push metrics via the Datadog API
- OpenTelemetry (OTLP) — push to any OTLP-compatible collector
- StatsD — emit metrics via UDP/TCP
Log export
Stream operational and audit logs to external systems:
- Splunk HEC — HTTP Event Collector
- Elasticsearch — direct indexing
- Datadog — log forwarding
- CloudWatch — AWS log streams
- OpenTelemetry (OTLP) — push to any OTLP-compatible collector
- Webhook — POST to any HTTP endpoint
OTLP Collector (unified)
For teams using an OpenTelemetry collector, the OTLP Collector card in Settings configures both metrics and log export with a single endpoint. See Export Metrics for setup details.
Gotchas
- "Require SSO" locks out non-SSO users — enabling this disables password login for all users. Make sure at least one admin can authenticate via SSO before flipping this switch.
- IP allowlists don't apply to device tokens — devices using device tokens bypass IP restrictions by design. Only human API access (dashboard, SDK with API key) is filtered.
- MFA enforcement is immediate — users without MFA are locked out on next login and must set up a second factor before they can access the workspace.
- Audit retention changes are not retroactive — switching from 90 days to HIPAA (6 years) does not recover events already purged. Set your retention policy before going to production.
- Webhook delivery is at-least-once — your SIEM endpoint may receive duplicate events. Use
event_idfor deduplication. - Session duration resets on activity — the 24h default resets when the user makes an authenticated request. Idle timeout (1h default) does not reset.
Related
- Audit Logs
- Monitoring — alert rules and routing
- Compliance — HIPAA, GDPR, PCI, SOC 2
- SSO & SCIM
- Privacy