End users sign in with Clerk. We map Clerk users to rows in our database. Pipeline and catalog data are scoped by workspace owner ids — organization members access the owner's shared resources according to their invite role.
Organization owners invite teammates with roles: member (full write), viewer (read-only), catalog editor (metadata edit only), and catalog browser (browse public-tagged catalog entries only). See Catalog & assets for the full matrix and API scopes (catalog:read, catalog:write, pipelines:*).
Source and destination credentials for running ingestion usually live in your execution environment (CI, runner, local .env), not in eltPulse UI — unless you use an optional integration that stores tokens server-side (e.g. BYO GitHub).
The Connections page stores named profiles per user: connector type, non-secret config, and optionally encrypted secrets for use by trusted runtimes. Pipelines link saved profiles by id; generated artifacts may include resolved names for runners. Monitors can require a matching connection so S3/SQS checks know which credential profile to use.
A gateway using a valid Bearer token may call GET /api/agent/connections and receive decrypted secret key/value pairs for that user's connections — only deploy gateways you trust with that data. See Concepts and Gateway.
SSO/SAML is included on Team and Enterprise. Configure your identity provider as an Enterprise connection in the Clerk Dashboard — the sign-in page shows Continue with SSO automatically when connections are active. Setup instructions live on Account → Security.
Team and Enterprise workspaces can mirror redacted run metadata to an HTTPS webhook on every terminal run. Configure export URL and optional HMAC signing secret on Account → Security. Payload schema: schemaVersion: 1, exportKind: run.metadata — status, row counts, error summary, and telemetry rollup (no raw log lines).
After a successful export (v2), verbose run logs and telemetry samples are redacted in eltPulse Cloud; only the summary rollup and an informational notice remain in the run record.
Stripe identifiers and plan tier are stored for subscription management. See Billing under Account & Settings.