Skip to main content

Documentation Index

Fetch the complete documentation index at: https://braintrust.dev/docs/llms.txt

Use this file to discover all available pages before exploring further.

Applies to:
  • Plan -
  • Deployment -

Summary

Issue: Users see a “You did not grant access” error when signing in via SSO. The error occurs when the IdP receives access_type=offline in OAuth requests but doesn’t support refresh tokens. Cause: Clerk sends access_type=offline to request refresh tokens, but some IdPs reject this parameter when refresh tokens aren’t supported. Resolution: Switch from OAuth to SAML authentication, which doesn’t include the access_type=offline parameter.

Resolution steps

Step 1: Verify the root cause

Check your IdP logs for failed authentication requests containing access_type=offline. This parameter requests refresh tokens during user inactivity.

Step 2: Switch to SAML authentication

Contact Braintrust support to migrate from OAuth to SAML. You’ll need to provide:
  • SSO URL
  • Entity ID
  • Certificate
  • Metadata URL (if available)

Step 3: Configure SAML on your IdP

Your IT team will need to:
  1. Create SAML clients for each Braintrust org
  2. Generate metadata XML files
  3. Configure the SSO URL endpoint

Step 4: Test the SAML connection

Once Braintrust support enables SAML, test login for each configured org to confirm the error is resolved.

Alternative workarounds

If switching to SAML isn’t immediately possible:

Try a regular browser session

Close incognito/private windows and sign in from a regular Chrome or Safari session. Clear cookies for braintrust.dev before attempting login.

Verify IdP user assignment

Have your IT team confirm the user is assigned to the Braintrust application in your organization’s IdP.

What this error means

The “You did not grant access” screen is a Clerk-rendered OAuth error that appears when the IdP rejects the authentication request. Unlike network errors or VPN blocks, this error indicates the request successfully reached Braintrust’s auth layer but failed during the IdP handoff. Common OAuth parameters that cause IdP rejections:
  • access_type=offline (requests refresh tokens)
  • Missing user assignments
  • Expired certificates