External Participants
External Participants enable customer stakeholders to participate in AI-driven processes without requiring full platform accounts, using secure magic link authentication.
Why External Participants?
Enterprise deployments involve people outside your organization:
- Customer IT Admins -- Approve SSO configurations
- Customer CISOs -- Sign off on security reviews
- Customer HR Managers -- Validate SCIM user mappings
- Partners -- Review integration configurations
These stakeholders need secure access without creating accounts, limited and scoped permissions, a clear audit trail, and easy approval workflows.
How It Works
- An agent reaches an approval gate in a process
- The system generates a magic link for the external participant
- An email is sent with the magic link and context
- The participant clicks the link and lands on a secure approval portal
- They review context, artifacts, and make their decision
- The decision is recorded and the process continues
The Participant Portal
External participants access a secure, limited portal that shows:
- Current phase and progress
- Pending approvals requiring their action
- Artifacts and documentation to review
- Comment threads for discussion
- Decision history
Portal Permissions
| Permission | Description |
|---|---|
| View | See process status and artifacts |
| Approve | Approve pending requests |
| Reject | Reject and provide feedback |
| Comment | Add comments to the process |
| Upload | Upload additional documents |
Approval States
An approval request moves through these states:
Pending --> Approved (process continues)
Pending --> Changes Requested --> Pending (after changes are made)
Pending --> Rejected (process handles rejection)
Notification Types
| Type | Trigger |
|---|---|
| Approval required | New approval request created |
| Reminder | Configurable intervals (e.g., 24h, 48h) |
| Escalation | Timeout reached, escalated to backup |
| Status update | Phase completed |
| Completion | Entire process completed |
Setting Up External Participants
Defining Participants in a Process
Each process definition includes human participant roles. For each role, you specify:
| Property | Description |
|---|---|
| Name | Display name (e.g., "Customer IT Administrator") |
| RAID Role | Approver, Informed, or Delegator |
| Required Approvals | Which tasks require this person's sign-off |
| Notification Preferences | Email frequency, reminder intervals |
Assigning to a Process Instance
When starting a process, map real people to the defined roles:
- Participant role ID (from the definition)
- Email address
- Name and title
Magic Link Authentication
Magic links are:
- Single-use per session -- One click creates a session
- Time-limited -- Configurable expiration (e.g., 7 days)
- Scoped -- Tied to a specific process and participant role
- Revocable -- Can be invalidated at any time
If a contact changes, revoke the existing link and generate a new one for the replacement.
Requesting Approval
When an agent reaches a gate, it creates an approval request with:
- A title and description explaining what needs review
- Attached artifacts (configuration summaries, test results, reports)
- Context data (technical details, recommendations)
- Expiration time and reminder schedule
The participant receives an email with a review button (magic link).
Custom Email Templates
You can customize the email templates for approval requests using template variables for process name, participant name, task title, due date, and approval link.
IP Restrictions
For high-security scenarios, restrict portal access by IP range, require MFA, or limit concurrent sessions.
Access Logging
All external participant actions are logged: link access, artifact views, approval submissions, comments. Each log entry includes timestamp, IP address, user agent, and action details.
Security
Token Security
Magic link tokens are single-use per session, time-limited with configurable expiration, scoped to a specific process and participant, and revocable at any time.
Audit Trail
Every action by an external participant is logged for compliance review, including when they accessed the portal, what they viewed, and what decisions they made.
Best Practices
Define specific responsibilities for each participant. IT admins approve technical configurations. CISOs approve security reviews. HR managers receive informational notifications.
Technical review: 48 hours with a 24-hour reminder. Security review: 5 days with reminders at 24, 72, and 96 hours. Set realistic deadlines based on stakeholder availability.
Include all artifacts, test results, and context needed for a decision. The easier you make it for the reviewer, the faster you get a response.
Always configure a backup contact. If the primary reviewer does not respond within the timeout, escalate automatically to their backup.
Next: Learn about Audit Logs for tracking all process activities.