Skip to main content

External Participants

External Participants enable customer stakeholders to participate in AI-driven processes without requiring full platform accounts, using secure magic link authentication.

Why External Participants?

Enterprise deployments involve people outside your organization:

  • Customer IT Admins -- Approve SSO configurations
  • Customer CISOs -- Sign off on security reviews
  • Customer HR Managers -- Validate SCIM user mappings
  • Partners -- Review integration configurations

These stakeholders need secure access without creating accounts, limited and scoped permissions, a clear audit trail, and easy approval workflows.

How It Works

  1. An agent reaches an approval gate in a process
  2. The system generates a magic link for the external participant
  3. An email is sent with the magic link and context
  4. The participant clicks the link and lands on a secure approval portal
  5. They review context, artifacts, and make their decision
  6. The decision is recorded and the process continues

The Participant Portal

External participants access a secure, limited portal that shows:

  • Current phase and progress
  • Pending approvals requiring their action
  • Artifacts and documentation to review
  • Comment threads for discussion
  • Decision history

Portal Permissions

PermissionDescription
ViewSee process status and artifacts
ApproveApprove pending requests
RejectReject and provide feedback
CommentAdd comments to the process
UploadUpload additional documents

Approval States

An approval request moves through these states:

Pending --> Approved (process continues)

Pending --> Changes Requested --> Pending (after changes are made)

Pending --> Rejected (process handles rejection)

Notification Types

TypeTrigger
Approval requiredNew approval request created
ReminderConfigurable intervals (e.g., 24h, 48h)
EscalationTimeout reached, escalated to backup
Status updatePhase completed
CompletionEntire process completed

Setting Up External Participants

Defining Participants in a Process

Each process definition includes human participant roles. For each role, you specify:

PropertyDescription
NameDisplay name (e.g., "Customer IT Administrator")
RAID RoleApprover, Informed, or Delegator
Required ApprovalsWhich tasks require this person's sign-off
Notification PreferencesEmail frequency, reminder intervals

Assigning to a Process Instance

When starting a process, map real people to the defined roles:

  • Participant role ID (from the definition)
  • Email address
  • Name and title

Magic links are:

  • Single-use per session -- One click creates a session
  • Time-limited -- Configurable expiration (e.g., 7 days)
  • Scoped -- Tied to a specific process and participant role
  • Revocable -- Can be invalidated at any time

If a contact changes, revoke the existing link and generate a new one for the replacement.

Requesting Approval

When an agent reaches a gate, it creates an approval request with:

  • A title and description explaining what needs review
  • Attached artifacts (configuration summaries, test results, reports)
  • Context data (technical details, recommendations)
  • Expiration time and reminder schedule

The participant receives an email with a review button (magic link).

Custom Email Templates

You can customize the email templates for approval requests using template variables for process name, participant name, task title, due date, and approval link.

IP Restrictions

For high-security scenarios, restrict portal access by IP range, require MFA, or limit concurrent sessions.

Access Logging

All external participant actions are logged: link access, artifact views, approval submissions, comments. Each log entry includes timestamp, IP address, user agent, and action details.

Security

Token Security

Magic link tokens are single-use per session, time-limited with configurable expiration, scoped to a specific process and participant, and revocable at any time.

Audit Trail

Every action by an external participant is logged for compliance review, including when they accessed the portal, what they viewed, and what decisions they made.

Best Practices

Clear Participant Roles

Define specific responsibilities for each participant. IT admins approve technical configurations. CISOs approve security reviews. HR managers receive informational notifications.

Appropriate Timeouts

Technical review: 48 hours with a 24-hour reminder. Security review: 5 days with reminders at 24, 72, and 96 hours. Set realistic deadlines based on stakeholder availability.

Provide Full Context

Include all artifacts, test results, and context needed for a decision. The easier you make it for the reviewer, the faster you get a response.

Plan for Escalation

Always configure a backup contact. If the primary reviewer does not respond within the timeout, escalate automatically to their backup.


Next: Learn about Audit Logs for tracking all process activities.