Onboarding

This guide explains how Askalot handles multi-tenant deployment and authentication, ensuring your organization's data remains secure and isolated.

Multi-Tenant Architecture

Askalot uses a fully isolated multi-tenant architecture where each organization (tenant) operates in a completely separate environment. This design provides:

• Complete Data Isolation: Your surveys, participants, and responses are stored separately from other organizations
• Independent Resources: Each tenant has dedicated compute resources with no shared processing
• Custom Domains: Access your environment via <service>.<tenant>.askalot.io

How Tenant Isolation Works

Each tenant runs in an isolated Linux container (LXC) with:

• Separate network namespace: Tenants cannot communicate directly with each other
• Dedicated storage: Data volumes are mounted exclusively to each tenant
• Independent service instances: Each tenant runs its own copy of all services

Your Tenant URLs

Once onboarded, you'll access your environment through these URLs:

Service	URL Pattern	Purpose
Roundtable	roundtable.<tenant>.askalot.io	Dashboard and user management
SirWay	sirway.<tenant>.askalot.io	Survey execution
Targetor	targetor.<tenant>.askalot.io	Campaign management
Armiger	armiger.<tenant>.askalot.io	Questionnaire editor
Balansor	balansor.<tenant>.askalot.io	Statistical analysis
Portor	portor.<tenant>.askalot.io	API gateway & MCP

Replace <tenant> with your organization's assigned tenant name.

Authentication

Askalot uses a centralized authentication system that provides single sign-on (SSO) across all services within your tenant.

Global Identity Provider

Authentication is handled by a global OIDC (OpenID Connect) identity provider that serves all tenants. This design provides:

• Single Sign-On: Log in once and access all Askalot services
• Privacy-Preserving Discovery: Your tenant membership is never exposed to other organizations
• Multiple Authentication Methods: Support for password and social login (Google, Microsoft)

How Authentication Works

sequenceDiagram
    participant Browser
    participant OIDC as Global OIDC<br/>(askalot.io)
    participant Tenant as Your Tenant<br/>Services

    Browser->>OIDC: 1. Visit askalot.io
    Browser->>OIDC: 2. Enter credentials
    OIDC->>Tenant: 3. Verify with tenant
    Tenant-->>OIDC: 4. User confirmed
    OIDC-->>Browser: 5. Set session cookie & redirect
    Browser->>Tenant: 6. Access services (already logged in)

Step-by-step flow:

1. Visit the landing page at https://askalot.io
2. Enter your email and password (or use social login)
3. Automatic tenant discovery - the system finds which tenant(s) you belong to
4. Session established - a secure cookie is set for all Askalot services
5. Redirect to your tenant - you're automatically taken to your dashboard

Supported Login Methods

Method	Description
Email + Password	Traditional username/password authentication
Google	Sign in with your Google account
Microsoft	Sign in with your Microsoft/Azure AD account

Additional identity providers (Okta, Apple, Facebook) can be configured for enterprise deployments.

Multi-Tenant User Support

If you belong to multiple organizations, the login flow handles this seamlessly:

1. Enter your email and password
2. If you're a member of multiple tenants, a selection dialog appears
3. Choose which organization to access
4. You can switch tenants by logging out and selecting a different one

Session Security

• JWT-based sessions: Stateless authentication using signed tokens
• Secure cookies: HttpOnly, Secure, SameSite flags prevent common attacks
• Domain-scoped: Cookies are scoped to .askalot.io for SSO across services
• Configurable expiration: Session duration set by your organization's policy

API Authorization

For programmatic access via the REST API or MCP interface, use API tokens instead of interactive login.

Generating API Tokens

1. Log in to your Roundtable dashboard
2. Navigate to Profile Settings
3. Select API Tokens
4. Click Generate New Token
5. Copy and securely store the token (it won't be shown again)

Using API Tokens

Include your token in the Authorization header:

Authorization: Bearer your_api_token

See the REST API and MCP Interface documentation for detailed usage.

Connecting AI Tools via MCP

Askalot's MCP (Model Context Protocol) interface allows AI assistants to interact directly with the platform. To connect your AI tool, add the following configuration:

Claude CodeCursorn8n

Add to your ~/.claude/mcp.json:

{
  "mcpServers": {
    "askalot": {
      "type": "http",
      "url": "https://portor.<tenant>.askalot.io/mcp",
      "headers": {
        "Authorization": "Bearer ${ASKALOT_API_TOKEN}"
      }
    }
  }
}

Set the environment variable:

export ASKALOT_API_TOKEN=your_api_token

Add to your MCP configuration in Cursor settings:

{
  "mcpServers": {
    "askalot": {
      "type": "http",
      "url": "https://portor.<tenant>.askalot.io/mcp",
      "headers": {
        "Authorization": "Bearer ${ASKALOT_API_TOKEN}"
      }
    }
  }
}

In your n8n workflow, configure the MCP node with:

• URL: https://portor.<tenant>.askalot.io/mcp
• Authentication: Bearer Token
• Token: Your API token from Roundtable

Replace <tenant> with your organization's tenant name.

Getting Started

Ready to start using Askalot? Here's what to do next:

• Quick Start

  ---

  Create your first survey in minutes

  Quick Start Guide

• User Guide

  ---

  Learn the full capabilities of the platform

  User Guide

• API Access

  ---

  Integrate Askalot into your applications

  API Documentation

Need Help?

Contact your organization's Askalot administrator or reach out to support:

• Email: [email protected]
• Terms of Services