Assist is a platform where teams can build, host, and deploy internal AI software and agents in one place — giving companies a safe, controlled environment to standardize workflows and improve operations.

What are sandcastles?

Sandcastles are purpose-built internal apps created by non-technical teams on the Assist platform. They allow employees to build custom tools and workflows without engineering resources.

How much does Assist cost?

Assist uses pay-as-you-go pricing: provider costs + 5%, $0.17 per 1k tool calls, with no seat fees. Enterprise custom pricing is also available.

Do we need engineers to use Assist?

No. Assist is designed for non-technical teams to build and deploy AI tools. Engineers can use it too, but it doesn't require engineering resources to get started.

Setting Up SSO

Single sign-on lets your team log into Assist with their existing company identity provider — Okta, Azure AD, Google Workspace, Auth0, or any OIDC-compatible provider. Once configured, users sign in with their company credentials and are automatically provisioned into your workspace.

Before you begin

You must be a workspace admin.
You need admin access to your identity provider to create an OIDC application.
Have the following from your IdP: Issuer URL, Client ID, and Client Secret.

Steps

1. Open SSO settings

Go to Workspace > SSO. This page has two sections: SSO Configuration and Directory Sync.

2. Enter your OIDC provider details

Issuer URL — the OIDC discovery endpoint for your provider (e.g., https://your-company.okta.com). Assist uses this to discover the authorization, token, and userinfo endpoints automatically.
Client ID — from the application you created in your IdP.
Client Secret — from the same application.

3. Configure options

Auto-provision users — when enabled, any user who signs in through SSO for the first time is automatically added to your workspace. When disabled, users must be pre-invited.
Email domain restriction — restrict SSO to specific email domains (e.g., yourcompany.com). Users with emails outside the allowed domains cannot sign in through SSO.
Enforce SSO — when enabled, password login is disabled for your workspace. All users must sign in through the identity provider. Use this after you have confirmed SSO is working correctly.

4. Enable and test

Toggle Enabled on. Open a private/incognito browser window and try signing in with a company account. Confirm the user lands in the correct workspace.

If it fails, check:

The Issuer URL is reachable from the internet.
The Client ID and Secret match what the IdP shows.
The redirect URI in your IdP matches the one Assist expects (shown on the SSO page).

Directory Sync (SCIM)

Directory sync keeps your Assist workspace in sync with your identity provider's user directory. When someone is added or removed in Okta (or Azure AD, or any SCIM 2.0 provider), the change is reflected in Assist automatically.

Setting up directory sync

On the SSO page, scroll to Directory Sync.
Copy the SCIM endpoint URL and Bearer token shown on the page.
In your identity provider, create a SCIM provisioning integration using the endpoint URL and token.
Map groups: your IdP groups can be mapped to Assist groups with a default role assignment. This means that when someone is added to a group in the IdP, they automatically get the right permissions in Assist.

What directory sync handles

User provisioning: new users in the IdP are created in Assist.
User deprovisioning: removed users lose access.
Group sync: IdP groups map to Assist groups. Membership changes flow through.

The Activity Log on the SSO page shows recent sync events so you can verify it is working.