Skip to content

Onboarding

This guide explains how Askalot handles multi-tenant deployment and authentication, ensuring your organization's data remains secure and isolated.

How to Join Askalot

Organizations can join the platform through three onboarding approaches:

Enterprise Federation

For organizations with existing identity providers.

Organizations with established identity systems (Google Workspace, Microsoft Azure AD, Okta) can federate authentication with Askalot. Users sign in with their existing organizational accounts, with automatic provisioning on first login.

Managed Onboarding

For organizations without identity federation capabilities.

Askalot creates a dedicated tenant environment. Users with manager or admin roles can invite new members by email. Invited users register using any supported authentication method — including public providers like Google, Apple, Facebook, or Microsoft — they are not limited to an organizational identity provider.

Self-Service (Demo)

For individual researchers and small teams.

The development tenant provides self-service registration via the ACME Corp demo organization for researchers who want to try the platform without organizational commitment. Register with any supported login method — password-based registration requires email verification, while signing in through a trusted public provider (Google, Apple, Facebook, or Microsoft) grants immediate access without verification, since Askalot trusts the provider's identity confirmation.

Multi-Tenant Architecture

Askalot uses a fully isolated multi-tenant architecture where each organization (tenant) operates in a completely separate environment. This design provides:

  • Complete Data Isolation: Your surveys, participants, and responses are stored separately from other organizations
  • Independent Resources: Each tenant has dedicated compute resources with no shared processing
  • Custom Domains: Access your environment via <service>.<tenant>.askalot.io

How Tenant Isolation Works

Each tenant runs in an isolated Linux container (LXC) with:

  • Separate network namespace: Tenants cannot communicate directly with each other
  • Dedicated storage: Data volumes are mounted exclusively to each tenant
  • Independent service instances: Each tenant runs its own copy of all services

Your Tenant URLs

Once onboarded, you'll access your environment through these URLs:

Service URL Pattern Purpose
Roundtable roundtable.<tenant>.askalot.io Dashboard and user management
SirWay sirway.<tenant>.askalot.io Survey execution
Targetor targetor.<tenant>.askalot.io Campaign management
Armiger armiger.<tenant>.askalot.io Questionnaire editor
Balansor balansor.<tenant>.askalot.io Statistical analysis
Portor portor.<tenant>.askalot.io API gateway & MCP

Replace <tenant> with your organization's assigned tenant name.

Authentication

Askalot uses a centralized authentication system that provides single sign-on (SSO) across all services within your tenant.

Global Identity Provider

Authentication is handled by a global OIDC (OpenID Connect) identity provider that serves all tenants. This design provides:

  • Single Sign-On: Log in once and access all Askalot services
  • Privacy-Preserving Discovery: Your tenant membership is never exposed to other organizations
  • Multiple Authentication Methods: Support for password and social login (Google, Microsoft)

How Authentication Works

sequenceDiagram
    participant Browser
    participant OIDC as Global OIDC<br/>(askalot.io)
    participant Tenant as Your Tenant<br/>Services

    Browser->>OIDC: 1. Visit askalot.io
    Browser->>OIDC: 2. Enter credentials
    OIDC->>Tenant: 3. Verify with tenant
    Tenant-->>OIDC: 4. User confirmed
    OIDC-->>Browser: 5. Set session cookie & redirect
    Browser->>Tenant: 6. Access services (already logged in)

Step-by-step flow:

  1. Visit the landing page at https://askalot.io
  2. Enter your email and password (or use social login)
  3. Automatic tenant discovery - the system finds which tenant(s) you belong to
  4. Session established - a secure cookie is set for all Askalot services
  5. Redirect to your tenant - you're automatically taken to your dashboard

Supported Login Methods

Method Description
Email + Password Traditional username/password authentication
Google Sign in with your Google account
Microsoft Sign in with your Microsoft/Azure AD account

Additional identity providers (Okta, Apple, Facebook) can be configured for enterprise deployments.

Multi-Tenant User Support

If you belong to multiple organizations, the login flow handles this seamlessly:

  1. Enter your email and password
  2. If you're a member of multiple tenants, a selection dialog appears
  3. Choose which organization to access
  4. You can switch tenants by logging out and selecting a different one

Session Security

  • JWT-based sessions: Stateless authentication using signed tokens
  • Secure cookies: HttpOnly, Secure, SameSite flags prevent common attacks
  • Domain-scoped: Cookies are scoped to .askalot.io for SSO across services
  • Configurable expiration: Session duration set by your organization's policy

API Authorization

For programmatic access via the REST API or MCP interface, use API tokens instead of interactive login.

Generating API Tokens

  1. Log in to your Roundtable dashboard
  2. Navigate to Profile Settings
  3. Select API Tokens
  4. Click Generate New Token
  5. Copy and securely store the token (it won't be shown again)

Using API Tokens

Include your token in the Authorization header:

Authorization: Bearer your_api_token

See the REST API and MCP Interface documentation for detailed usage.

Connecting AI Tools via MCP

Askalot's MCP (Model Context Protocol) interface allows AI assistants to interact directly with the platform. To connect your AI tool, add the following configuration:

Add to your ~/.claude/mcp.json:

{
  "mcpServers": {
    "askalot": {
      "type": "http",
      "url": "https://portor.<tenant>.askalot.io/mcp",
      "headers": {
        "Authorization": "Bearer ${ASKALOT_API_TOKEN}"
      }
    }
  }
}

Set the environment variable: 

export ASKALOT_API_TOKEN=your_api_token

Add to your MCP configuration in Cursor settings:

{
  "mcpServers": {
    "askalot": {
      "type": "http",
      "url": "https://portor.<tenant>.askalot.io/mcp",
      "headers": {
        "Authorization": "Bearer ${ASKALOT_API_TOKEN}"
      }
    }
  }
}

In your n8n workflow, configure the MCP node with:

  • URL: https://portor.<tenant>.askalot.io/mcp
  • Authentication: Bearer Token
  • Token: Your API token from Roundtable

Replace <tenant> with your organization's tenant name.

Your Starting Resources

When you first log in, Askalot sets up a personal workspace so you can begin working immediately:

  • Default Project — A personal project named after you (e.g., "Alice's Project"). Use it for your first surveys or rename it to match your research. This project cannot be deleted.
  • Default Sampling Strategy — A ready-to-use strategy with standard demographic factors (gender and age group distributions). Use it to generate representative respondent pools without any configuration. This strategy is read-only to ensure a consistent baseline across your organization.

These defaults are created for each user in non-private organizations. In private organizations, users collaborate on shared resources and create their own projects and strategies as needed.

Get started quickly

With the default project and strategy already in place, you can jump straight to importing respondents and creating your first campaign.

Getting Started

Ready to start using Askalot? Here's what to do next:

Need Help?

Contact your organization's Askalot administrator or reach out to support: