• Documentation
    • Search documentation
    karat

    +

    K

    API Reference ↗
    Management & enablementConsumer modeOverview

    Consumer mode

    Consumer mode allows you to configure Foundry so that users can access specific applications without broader access to the Foundry platform. Consumer mode is particularly useful for building business-to-consumer (B2C) and business-to-business (B2B) applications where external users need access to data and workflows without full platform access.

    Rather than a singular solution, consumer mode is a way to configure Foundry such that consumer users, builders, and administrators can only access the features and applications appropriate to their roles.

    • Consumer users can only access target applications and necessary resources.
    • Consumer user API access is restricted to only include their specific needs.
    • Consumer users should never see the Foundry login page, or they should be automatically redirected if already authenticated.
    • Builders can leverage Marketplace for release management.
    • Builder administrators can enforce that consumers never receive roles beyond the consumer role.

    Consumer application solutions

    Foundry supports three types of consumer-facing application configurations:

    In-platform consumer applications

    A Workshop, Slate, or Carbon applications with restricted platform access.

    • Recommended use: Build low-code custom applications. Iterate quickly using low-code application builders, and deploy to customers with minimal maintenance burden once built.
    • User login experience: Interactive login flow with automatic redirect.

    OAuth applications

    An authorization grant OAuth application hosted within Foundry.

    • Recommended use: Build pro-code applications hosted in Foundry, leveraging Foundry security primitives for interactive custom applications.
    • User login experience: Interactive login flow with OAuth redirect (consent configurable).
    • Hosting: Foundry subdomains (for example, https://subdomain-for-app.your-foundry-domain.com/).

    Client credentials applications

    An OAuth/OSDK application hosted externally using a client credentials flow.

    • Recommended use: Build pro-code applications for maximal user scale that requires customer-defined user authentication and authorization logic outside of Foundry.
    • User login experience: Application builders must fully own the login experience.
    • Hosting: External hosting environment with API access to Foundry.

    Consumer mode considerations

    Scale: Ensure your solution meets your needs

    When Foundry manages authentication and authorization, it supports the following metrics:

    • User capacity: 500,000+ users
    • User onboarding: Up to 5,000 new users per hour
    • Organization limits: Five organizations per enrollment by default

    A client credentials application manages authentication and authorization outside Foundry; only API limits apply.

    Seamless login: Prevent unnecessary authentication

    Consumer mode supports two login patterns:

    • Interactive login flow: Users authenticate through configured identity providers with automatic redirect.
    • No login flow: Service-to-service authentication using client credentials.

    Some features for seamless login include the following:

    • Default IDP per domain: Automatic redirect to identity provider.
    • Realm parameter support: Direct IDP linking using ?realm=realmId for multi-IDP domains to redirect to identity provider.

    Security: Configure access and prevent platform exposure

    Consumer mode security operates on multiple levels:

    Application access restrictions

    • Platform access control: Disable broader Foundry platform access for consumer organizations.
    • Application-specific access: Grant access only to Workshop, Slate, or Carbon applications.

    API access restrictions

    • Role-based permissions: Enforce minimal permissions necessary for application functionality.
    • Service user permissions: For client credentials, manage authorization through service user roles.

    User and group isolation

    • Private organizations (beta): Prevent consumers from discovering other users or groups within the organization.
    • Cross-organization restrictions: Block visibility and collaboration between consumer and internal organizations.

    Getting started

    Step 1: Set up Foundry for consumer usage

    Foundry platform setup is only required when using Foundry user permissions and authentication. If you are only creating client credentials applications, you can skip this step.

    Review our documentation to configure your Foundry enrollment for consumer mode.

    Step 2: Configure your consumer application

    1. In-platform consumer application
    2. OAuth application
    3. Client credentials application