Security

Audit logs give you a detailed record of every significant action taken within your organisation. They help you monitor user activity, investigate security incidents, and maintain compliance by showing who did what, when, and from where.

Prerequisites

• You must have the Admin role to access audit logs.

Access audit logs

On the Tekst platform, click Settings in the bottom navigation menu. Then select the Audit Logs tab to open the audit log overview.

You will see a paginated table showing the most recent audit events, with the newest entries displayed first.

Understanding the audit log table

The audit log table displays four columns:

• Actor - The name of the user who performed the action, along with their IP address.
• Action - The specific action that was performed (for example, user_create or flow_publish).
• Type - The type of resource that was affected (for example, user, flow, or integration).
• Date and time - The exact date and time the action occurred.

The table shows 10 entries per page. Use the pagination controls at the bottom of the table to navigate between pages. You can also change the number of entries per page by selecting 10, 25, 50, or 100 from the page size dropdown.

Filter audit logs

You can narrow down the audit log results using two filters located above the table. Filtered views are reflected in the URL, so you can bookmark or share a specific filtered view.

Filter by date range

Click the date filter button (calendar icon) to open the date range picker. Select a start date and end date to view events within that period. You can optionally set a specific time for more precise filtering. Click Apply to update the results, or Clear to remove the date filter.

Filter by action type

Click the action filter button to open a searchable dropdown of all available action types. Type to search for a specific action, then select it to filter the table. Only one action type can be selected at a time. To remove the filter, select All Actions.

View audit log details

Click any row in the table to open a detail panel on the right side of the screen. The detail panel contains two tabs:

Details tab

• Actor - The name, user ID, and IP address of the person who performed the action.
• Action - The action name and CRUD operation type (created, read, updated, or deleted).
• Target - The type, name, and ID of the resource that was affected.
• Date and time - Both the event creation time and the server insertion time.
• Status - If the action was performed anonymously or if it failed, a status badge is displayed.
• Description - A human-readable summary of what happened.

Raw JSON tab

This tab displays the complete audit log entry as raw JSON data, useful for technical investigation or when sharing details with your development team.

Tracked events

Tekst tracks a wide range of events across your organisation. For a complete list of every event type that appears in audit logs, see the "Audit log events reference" article.

If you have any questions or need help investigating a specific event, don't hesitate to contact our support team - we're here to help.

This article lists every event type that Tekst records in the audit logs. Use this as a reference to understand what each action means when reviewing your audit log history. To learn how to access and filter audit logs in the Settings UI, see the "View audit logs" article.

Organisation

Action	Description
organisation_create	A new organisation was created.
organisation_update	Organisation settings or name were updated.
organisation_delete	An organisation was deleted.

User

Action	Description
user_create	A new user was added to the organisation.
user_update	A user's profile, role, or group membership was updated.
user_delete	A user was removed from the organisation.

Integration

Action	Description
integration_create	A new integration was created.
integration_update	An integration's name, settings, or sync state was updated.
integration_delete	An integration was deleted.
integration_access_control_update	Access control settings were changed for an integration.

Flow

Action	Description
flow_create	A new flow was created.
flow_update	A flow's name, description, or configuration was updated.
flow_delete	A flow was deleted.
flow_publish	A flow was published as a stable version.
flow_activate	A flow was activated and started running.
flow_deactivate	A flow was deactivated and stopped running.
flow_access_control_update	Access control settings were changed for a flow.
flow_approval_create	An approval request was created within a flow.
flow_approval_update	An approval request was approved or rejected.

Model

Action	Description
model_create	A new model was created.
model_update	A model's display name, description, or settings were updated.
model_delete	A model was deleted.
model_publish	A new model version was published.
model_access_control_update	Access control settings were changed for a model.

Tag

Action	Description
tag_create	A new tag was created.
tag_update	A tag was updated.
tag_delete	A tag was deleted.

App

Action	Description
app_create	A new app was created.
app_update	An app's settings were updated.
app_delete	An app was deleted.
app_publish	A new app version was published.
app_access_control_update	Access control settings were changed for an app.

Invite

Action	Description
invite_create	A new user invitation was sent.
invite_update	An invitation was re-enabled or resent.
invite_delete	An invitation was deleted.
invite_accept	An invitation was accepted by the invited user.

Account

Action	Description
account_update	A user updated their own account settings or name.
account_login	A user logged in to the platform.
account_logout	A user logged out of the platform.
account_password_reset	A password reset was initiated.
account_mfa_update	Multi-factor authentication enrollment was requested.

Process mining

Action	Description
process_mining_delete	Process mining data was cleared.

API key

Action	Description
api_key_create	A new API key was generated.
api_key_delete	An API key was deleted.

Auth method

Action	Description
auth_method_create	A new authentication method (such as SSO) was created.
auth_method_update	An authentication method's configuration was updated.
auth_method_delete	An authentication method was removed.

The IP firewall restricts access to your Tekst project so that only users connecting from approved IP addresses can log in. When enabled, any request from an IP address that is not on the allow list is blocked. Use this feature to limit access to your office networks, VPNs, or other trusted locations.

Prerequisites

• A Tekst account with an Admin or Contributor role. Users with the Reader or Sales role cannot manage the IP firewall.

Enable the IP firewall

Step 1: Open the IP firewall settings

Go to Settings > Security. In the IP Firewall card, click Edit to open the IP allow list settings dialog.

Step 2: Add your IP addresses

Before enabling the firewall, add every IP address or range that should be allowed to access your project. In the dialog you will see a form with two fields:

• IP Address - enter a single IPv4 address (for example 203.0.113.10), a CIDR range (for example 203.0.113.0/24), or an IP range (for example 203.0.113.1-203.0.113.50).
• Description - enter a short label for the entry, such as "Amsterdam office" or "Company VPN". The description is required and can be up to 100 characters.

Click Add to add the entry to the list. Repeat this step for every network that needs access.

Your current IP address is detected automatically and shown with a Current badge in the table. You cannot remove your own IP address, which prevents you from accidentally locking yourself out.

Step 3: Enable the firewall

Toggle the Enable switch at the top of the dialog. A warning will appear reminding you that users connecting from IPs that are not on the list will be blocked.

Step 4: Save your changes

Click Save to apply the new settings. Once saved, the IP firewall is active and only the listed IP addresses can access the project.

Manage the allow list

To make changes after initial setup, go to Settings > Security, click Edit on the IP Firewall card, and update the list:

• Add an entry - fill in the IP address and description fields and click Add.
• Remove an entry - click the delete button next to the entry you want to remove. You cannot delete the entry that matches your current IP address.

Remember to click Save after making changes. If you close the dialog without saving, Tekst will warn you about unsaved changes.

Disable the IP firewall

Open the IP allow list settings dialog and toggle the Enable switch off. Your saved IP entries are preserved and will be applied again if you re-enable the firewall later.

Supported IP formats

The IP firewall accepts three formats:

Format	Example	Description
Single IP	203.0.113.10	Allows one specific address
CIDR range	203.0.113.0/24	Allows all addresses in the subnet
IP range	203.0.113.1-203.0.113.50	Allows all addresses between the two endpoints

Troubleshooting

If a user is blocked by the IP firewall, they will see an error message stating that their IP address is not in the allowed list. To resolve this:

1. Ask the user for their public IP address.
2. Go to Settings > Security > IP Firewall > Edit.
3. Add the IP address or a range that includes it.
4. Click Save.

If you have locked yourself out and cannot access the platform, contact Tekst support for assistance.

Tekst outbound IP addresses

If you need to allow traffic from Tekst to reach your own services (for example, webhook endpoints or custom step URLs), see Troubleshoot Firewall for a list of Tekst's fixed outbound IP addresses.

This guide will explain the different security settings and how to configure them in the Tekst App to ensure your sensitive information remains protected.

On the Tekst platform, locate and click on the "Settings" option. This is typically found in the bottom navigation menu, providing access to various configuration and account management features. Within the "Settings" section, find and click on the "Security" tab.

Compliance Settings

Messages can be viewed

When enabled, messages become visible on the Analytics page. This allows users to view sample messages related to specific (sub)topics. When disabled, no message content will be shown.

Compliance banner

The compliance banner serves as a warning to users that personally identifiable information (PII) may be visible. It encourages responsible handling of such data.

You can choose when the banner should appear: "Always", "First time only", or "Never" when viewing message data.

PII warning

When enabled, a PII warning is shown when inputting possible sensitive information.

Data can be exported

Enabling this option allows administrators to export analytics data. When active, an export field appears, providing access to a downloadable CSV file containing the relevant data. When disabled, no export can be made.

Authentication Settings

Automatic logout after time

Configure the automatic logout after a specified amount of time by clicking on the relevant bar. This adds an extra layer of security, automatically logging out the user after a set number of minutes. Adjust the number field to select the desired time in minutes according to your company needs.

Automatic logout after inactivity

Similarly, click on the bar next to this setting to automatically log out the user after a defined period of inactivity. Adjust the number field to select the desired time in minutes according to your company preferences.

Enforce multi factor authentication

This setting requires every user in the organization to enable a two factor authentication method. For a step-by-step setup guide, see Enabling Multi-Factor Authentication (MFA).

Default user role

All changes are automatically saved.

IP Firewall

The IP firewall restricts access to your project so that only users connecting from approved IP addresses can log in. When enabled, any request from an IP address that is not on the allow list is blocked.

For a detailed guide on enabling the firewall, managing the allow list, and supported IP formats, see Set up the IP firewall.

If you have any questions or run into any issues along the way, don't hesitate to contact our support team - we're here to help you get the most out of our secure platform.

This guide will go through the process of enabling MFA on your account.

Multi-Factor Authentication (MFA) adds an extra layer of protection to your account, ensuring that only you can access it, even if your password is compromised. 

Step 1: Navigate to "Account"

In the "Settings" page, go to the "Account" tab. This will take you to the section where you can manage various account settings, including the Multi-Factor Authentication setup.

Step 2: Enable MFA

Under the Authentication Settings, you can find the option to enable Multi-Factor Authentication. 

Step 3: Verification and confirmation.

Once you've completed the setup, you may be asked to verify your identity to ensure the Multi-Factor Authentication is functioning correctly.

For administrators: monitoring MFA status.

If you are an administrator, you have the capability to monitor the MFA status of members in your team. Simply navigate to the admin dashboard or designated admin section, where you'll find a list of team members and their respective MFA status.

If you ever need to make changes to your MFA settings or encounter any issues during the setup process, our support team is here to assist you.

This guide outlines how to authenticate users using Single Sign-On (SSO) instead of password authentication.

Prerequisites

Users who were added with password authentication will retain the ability to log in with their password even after SSO is enabled. Both authentication methods will work unless you disable password authentication organization-wide.

Make sure you have:

• Admin access to your identity provider (Azure AD, Google, Okta, etc.)
• Admin permissions in Tekst
• Communication plan to inform users about the change

Step 1: Enable SSO for your organization

First, set up SSO authentication for your organization so users can log in with their work credentials:

1. Navigate to Settings → SSO in your Tekst dashboard
2. Click Create new SSO
3. Select your identity provider and follow the setup guide:
   • Using Azure AD for SSO with Tekst
   • Using Google for SSO with Tekst
   • Using Okta for SSO with Tekst
4. Complete the configuration and enable the SSO method

Once SSO is enabled, all users in your organization will see the SSO login option on the Tekst login page, even if they were originally added with password authentication.

Step 2: Communicate the change to users

Since Tekst doesn't automatically force users to switch authentication methods, you need to inform your team:

1. Send an email to all users explaining that SSO is now available
2. Provide clear instructions on how to log in with SSO:
   • Go to your organization's Tekst login page (e.g., https://<yourcompany>.tekst.com)
   • Enter their work email address
   • Click the SSO option (e.g., "Continue with Microsoft", "Continue with Google")
   • Complete authentication through their identity provider
3. Let users know that their existing password will still work if they prefer

Create a short video or screenshot guide showing the new SSO login process. This helps users understand exactly what changed and reduces support requests.

Step 3: Verify users are using SSO

After enabling SSO, you can check which authentication methods your users are using:

1. Navigate to Settings → Users
2. Review the Authentication column in the members table
3. Look for badges showing:
   • "UPA" means the user is still using password authentication
   • Provider names like "google", "microsoft", or "okta" indicate SSO usage

When a user logs in with SSO for the first time, their authentication methods are automatically updated to include the SSO provider. You'll see this reflected in the Authentication column.

Troubleshooting

Symptom	Likely cause	Resolution
User doesn't see SSO option on login page	SSO method is not enabled in Tekst	Go to Settings → SSO and ensure the SSO method is enabled and configured correctly
User sees "SSO not configured" error	SSO metadata or certificates are incorrect	Review your SSO configuration and update the Federation Metadata XML or certificates
User can't log in with SSO on mobile	Certificate renewal or configuration issue	Check that your identity provider's certificates are current and properly configured in Tekst
Authentication column still shows "UPA" after user logged in with SSO	User hasn't actually logged in with SSO yet	Confirm the user is clicking the SSO button, not entering their password on the login page

Limitations

• Admins cannot manually change a user's authentication method - it updates automatically when the user logs in
• Users added before SSO was enabled will retain password authentication unless they log in with SSO
• There is no bulk migration tool to force all users to SSO
• Both password and SSO authentication can coexist unless password authentication is explicitly disabled

Getting help

If you encounter issues switching users to SSO, collect the following information before contacting support:

• The email address of affected users
• The identity provider you're using (Azure AD, Google, Okta, etc.)
• Screenshots of any error messages
• Whether the SSO configuration was recently changed
• Confirmation that SSO is enabled in Settings → SSO

This guide will show you how to set up your custom SAML application for Azure AD.

Step 1: Create application

1. Login with admin permissions into the Azure Admin console.
2. Navigate to "Enterprise applications"  and click "New application"

3. In the next screen, click "Create your own application" and give your application a name
4. Select the option "Integrate any other application you don't find in the gallery"

Step 2: Configure your application

1. Select the "Single Sign On" option from the Manage section of your app and then select "SAML".

2. Click "Edit" on the 'Basic SAML Configuration' section.

3. Enter the following values in the 'Basic SAML Configuration' section on the next screen and click "Save"

Identifier (Entity ID)	https://tekst.com
Reply URL (Assertion Consumer Service URL)	https://api.tekst.com/api/auth/sso/saml

Step 3: Attribute mapping

1. Click "Edit" on the 'Attributes & Claims' section.
2. Configure the following attributes under the 'Attributes & Claims' section:

Name	Value
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress	user.mail
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname	user.givenname
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	user.userprincipalname
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname	user.surname

3. Go to the 'SAML Signing Certificate' section and download the 'Federation Metadata XML'.

Step 4: Upload metadata to Tekst

1. Open the downloaded Federation Metadata XML file in a text editor and copy the entire contents.
2. Log in to Tekst and navigate to Settings >  SSO.
3. Click "New SSO connection"
4. Select "Azure AD" as the Identity Provider and click "Next"
5. Paste the entire raw XML contents into the "Raw Metadata" field
6. Click "Finish" to activate SSO. A success message will appear and a new "Continue with Azure AD" button will appear on the Tekst login page.

Ensure you paste the complete XML file including the declaration. Incomplete or malformed XML will result in a parsing error.

Step 5: Assign users in Azure AD

1. Return to the Azure Portal and navigate to your Tekst Enterprise Application.
2. Select "Users and groups" from the Manage section and click "Add user/group"
3. Select the users or groups you want to grant access to Tekst and click "Assign".

Only users assigned to this Enterprise Application in Azure AD will be able to authenticate to Tekst via SSO. Ensure assigned users' email addresses match their Tekst accounts.

Step 6: Switching existing users to SSO

If you have existing users who currently log in with passwords, they can switch to SSO on their first SSO login. The SSO option will appear alongside the email/password login.

For detailed instructions on transitioning users, see How to switch a user from password login to SSO.

Communicate the change to your users via email with clear login instructions. Users will see both SSO and password options until passwords are disabled.

Troubleshooting

Raw metadata must be valid SAML XML

This error occurs when the XML is empty, incomplete, or malformed. Re-download the Federation Metadata XML from Azure and ensure you paste the complete file contents.

User not authorized or login fails

Verify the user is assigned to the Enterprise Application in Azure AD under Users and groups. Also check that the user's email in Azure matches their Tekst account email.

SSO button doesn't appear on login page

Ensure the SSO provider is activated in Tekst Settings. If you're on a free plan, you may need to upgrade to access SSO functionality.

AADSTS50105: User is blocked because they are not assigned access

This error means the user has not been granted access to the Tekst Enterprise Application in Azure AD. The full error message typically reads:

AADSTS50105: Your administrator has configured the application Tekst.com to block users unless they are specifically granted ('assigned') access to the application. The signed in user is blocked because they are not a direct member of a group with access, nor had access directly assigned by an administrator.

This is a Microsoft-side restriction, not a Tekst issue. To resolve it, your IT administrator must assign the user to the Tekst Enterprise Application in Azure AD:

1. Go to the Azure Portal and navigate to your Tekst Enterprise Application.
2. Select "Users and groups" from the Manage section.
3. Click "Add user/group" and assign the affected user or a group that includes them.

Once the user is assigned, they will be able to log in via SSO. If you are not an Azure AD administrator, contact your internal IT department to request access.

IdP-initiated login not working

Tekst only supports SP-initiated SSO, meaning users must start the login process at their organization's Tekst login page (e.g., <yourcompany>.tekst.com), not from the Azure AD dashboard.

This section will show you how to set up your custom SAML application for Google.

Step 1: Create application

1. In your Google Admin console, click "Apps" from the sidebar then click Web and mobile apps from the list.

• If your application is already created, choose it from the list and move to the section Configure Application
• If you haven't created a SAML application, click Add custom SAML app from the menu.

2. Give your application an App name and click Continue.

Step 2: Configure Application​

1. On the next screen, click DOWNLOAD METADATA to download the metadata XML file, then click Continue.

Enter the following values in the Service provider details section:

ACS URL	https://api.tekst.com/api/auth/sso/saml
Entity ID	https://tekst.com
Name Id	Basic Information > Primary email

Replace the values with the ones above and click Continue to save the configuration.

Step 3: Attribute Mapping

1. Configure the following attributes under the Attributes section. Click "Finish" to save the configuration.

App attributes	Google directory attributes
email	Primary email
firstName	First name
lastName	Last name

2. From the next screen, click User access to configure the application to allow users to log in.Check the ON for everyone checkbox and click Save.

Step 4: Upload metadata to Tekst

1. Open the downloaded Federation Metadata XML file in a text editor and copy the entire contents.
2. Log in to Tekst and navigate to Settings >  SSO.
3. Click "New SSO connection"
4. Select "Google Identity Cloud" as the Identity Provider and click "Next"
5. Paste the entire raw XML contents into the "Raw Metadata" field
6. Click "Finish" to activate SSO. A success message will appear and a new "Continue with Google" button will appear on the Tekst login page.

Ensure you paste the complete XML file including the declaration. Incomplete or malformed XML will result in a parsing error.

Step 5: Switching existing users to SSO

If you have existing users who currently log in with passwords, they can switch to SSO on their first SSO login. The SSO option will appear alongside the email/password login.

For detailed instructions on transitioning users, see How to switch a user from password login to SSO.

Communicate the change to your users via email with clear login instructions. Users will see both SSO and password options until passwords are disabled.

This section will show you how to set up your custom SAML application for Okta SAML.

Step 1: Create application

1. In your Okta account, navigate to "Applications" using the left-hand menu.

• If your application already exists, select it from the list and proceed to the "Configure Application" section.
• If you haven’t created a SAML application yet, click "Create App Integration" to start setting up a new one.

2. On the next screen, select "SAML 2.0" as the sign-in method, then click "Next" to continue.

3. Give your application an App name and click "Next".

Step 2: Configure Application

1. Enter or select the following values in the SAML Settings section on the next screen:

Single Sign on URL	https://api.tekst.com/api/auth/sso/saml
Audience URI (SP Entity ID)	https://tekst.com
Name ID format	EmailAddress (select as an option)

Step 3: Attribute Mapping

1. Under the Attribute Statements section, you have to configure the following attributes:

Name	Value
id	user.id
email	user.email
firstName	user.firstName
lastName	user.lastName

2. On the next screen select "I'm an Okta customer adding an internal app" and "This is an internal app that we have created". Then click "Finish".

3. From your application, click "Sign On tab" and go to the section SAML Signing Certificates
4. Click the Actions dropdown for the correct certificate and click "View IdP metadata". A separate window will open with the metadata XML file, you can copy it to your clipboard. This is the metadata you use to connect to Tekst.

Step 4: Upload metadata to Tekst

1. Open the downloaded Federation Metadata XML file in a text editor and copy the entire contents.
2. Log in to Tekst and navigate to Settings >  SSO.
3. Click "New SSO connection"
4. Select "Okta" as the Identity Provider and click "Next"
5. Paste the entire raw XML contents into the "Raw Metadata" field
6. Click "Finish" to activate SSO. A success message will appear and a new "Continue with Okta" button will appear on the Tekst login page.

Ensure you paste the complete XML file including the declaration. Incomplete or malformed XML will result in a parsing error.

Step 5: Switching existing users to SSO

If you have existing users who currently log in with passwords, they can switch to SSO on their first SSO login. The SSO option will appear alongside the email/password login.

For detailed instructions on transitioning users, see How to switch a user from password login to SSO.

Communicate the change to your users via email with clear login instructions. Users will see both SSO and password options until passwords are disabled.

This guide will assist you in setting up your firewall to ensure seamless access to the Tekst platform. Proper firewall configurations are essential for users to visit their Tekst dashboard (e.g., <yourcompany>.tekst.com) without any restrictions.

Basic Firewall Guidelines

1. Allow HTTPS on Port 443 for Tekst Endpoints
   To enable user access to the Tekst platform, make sure your firewall allows HTTPS traffic on port 443 for the following domains:

   • *.tekst.com

   • *.tekst.com

   This is essential for establishing secure connections with the Tekst services.

2. Whitelist Tekst Domains Additionally, whitelist both *.tekst.com and *.tekst.com in your firewall settings. This ensures uninterrupted access to the Tekst platform and prevents any connection issues caused by domain restrictions.

Tekst Outbound IP Addresses

All outbound communication from the Tekst platform - including custom step requests, webhook calls, and integration traffic - originates from the following fixed IP addresses:

IP Address	Region
54.72.8.251	EU (Ireland)
54.247.143.2	EU (Ireland)
52.18.99.212	EU (Ireland)

If a third-party service requires you to whitelist incoming traffic from Tekst, add all three IP addresses to the allow list. Tekst traffic may come from any of the three addresses, so all must be included for reliable connectivity.

If you're an Admin on Tekst, you can control who has access to your models and integrations by setting restrictions at the user or group level. This allows you to ensure that sensitive models or integration connections are only accessible to authorized individuals or teams.

Prerequisites

• You must have Admin privileges in your Tekst organization
• Users or groups you want to restrict access for must already exist in your organization

Steps

For Integrations

1. Navigate to the Integrations section in your Tekst dashboard
2. Find the integration you want to restrict access to and click on it to open its settings
3. Click on the Access tab
4. Select Add restriction
5. In the Grant access to: field, type the name of the user or group you want to give access to
6. Select the user or group from the dropdown menu that appears
7. Click Save to apply the restriction

For Models

1. Navigate to the Models section in your Tekst dashboard
2. Find the model you want to restrict access to and click on it to open its settings
3. Click on the Settings tab
4. Select Access from the settings menu
5. Click Add restriction
6. In the Grant access to: field, type the name of the user or group you want to give access to
7. Select the user or group from the dropdown menu that appears
8. Click Save to apply the restriction

Verify the setup

Once you've applied access restrictions, only the specified users or groups will be able to view and use the restricted models or integrations. Users not included in the restriction will not see these resources in their respective sections of the platform.