Personal vs Workspace Credentials for Tools & MCP Servers
This guide explains how to understand and configure authentication options for tools and MCP servers in your Dust workspace.
Overview
When adding tools that require authentication (like GitHub, HubSpot, or remote MCP servers), you have two credential configuration options. Understanding these options is crucial for managing data security and user access in your workspace.
Authentication Types
Workspace Level Credentials
What it means: One set of credentials shared by all workspace users
Setup: Admin provides credentials during tool setup
Usage: All users access the external service using the same account
Best for: Centralized control, shared service accounts, or when you want consistent permissions across all users
These credentials will be used by all users who have access to the tool.
Personal Level Credentials
What it means: Each user connects their own individual credentials
Setup: Admin completes initial OAuth flow, then each user authenticates individually
Usage: Users access external services with their personal accounts
Best for: User-specific data access, individual accountability, or when users need different permission levels
Even with personal credentials, admins must complete the initial OAuth flow to verify the connection works and gather necessary metadata (like Slack team ID, Salesforce instance URL, etc.) that will be reused for individual user connections.
Making the Decision
Choose Workspace Level when:
- You want centralized control over what data is accessible
- You're using a shared service account
- All users should have the same level of access
- You want to simplify user onboarding
Choose Personal Level when:
- Users need access to their individual accounts (personal GitHub repos, individual HubSpot permissions, etc.)
- You want user actions to be attributed to the correct person
- Different users have different permission levels in the external service
- You want to maintain individual audit trails
Configuration Process
For Workspace Credentials:
Navigate to Knowledge > Tools in your workspace
Click Add Tools and select your desired tool
Choose Workspace credentials
Complete the OAuth flow with the shared account
For Personal Credentials:
Navigate to Knowledge > Tools in your workspace
Click Add Tools and select your desired tool
Choose Personal credentials
Complete the admin OAuth flow to:
- Verify that the connection is working properly
- Gather necessary metadata (team IDs, instance URLs, etc.)
- Enable the tool for workspace users
Users will then authenticate individually when first using the tool
Security Considerations
Workspace credentials: Simpler to manage but less granular control
Personal credentials: More secure attribution but requires both admin setup and individual user authentication
Data sharing: Both options share the same data with external services; the difference is whose account performs the actions
Managing Existing Tools
You can change authentication settings for existing tools by:
Going to the tool's configuration page
Updating the authentication method
Re-authenticating as needed (admin OAuth flow required for personal credentials)
Note that changing from workspace to personal credentials will require the admin to complete the initial OAuth flow, followed by individual user authentication.
Updated about 6 hours ago