Worker App Setup

FlightIQ uses a PingOne worker application so the backend can call PingOne and DaVinci APIs. This is separate from user login. The worker app is used for server-side API access, token minting, environment discovery, artifact reads, and supported write operations.

What You Need

Collect these values from PingOne:

  • Tenant or org label you want to show in FlightIQ.
  • PingOne environment ID for the tenant context.
  • Worker application client ID.
  • Worker application client secret.

The environment ID and client ID must be UUID values.

Create or Identify the PingOne Worker App

In PingOne, create or identify an application intended for API access.

Recommended setup:

  1. Use a dedicated worker application for FlightIQ.
  2. Use client credentials or the equivalent machine-to-machine grant supported by your PingOne tenant.
  3. Assign only the roles needed for the environments and domains FlightIQ should manage.
  4. Store the generated client secret securely.

Do not reuse an end-user login application as the worker application. The worker app represents backend API access, not interactive user sign-in.

Configure FlightIQ

In FlightIQ, use either the startup Configure Tenant page shown when no tenant apps are configured, or open Settings > Access & Authentication after the app is already running.

If you are already in the main app, open Settings and select Access & Authentication. Then:

  1. In Tenant Configuration, enter the tenant name, environment ID, backend API client ID, and client secret.
  2. Click Save.
  3. Click Test Backend API Credentials.

A successful test confirms that FlightIQ can mint a backend API token. FlightIQ stores secrets on the backend and does not expose them to the browser.

When you are using the first-time setup page, complete this worker app section before selecting an Org Root or expecting workspace data to load.

Select the Tenant

After saving the tenant:

  1. Use the top header to select the Org Root.
  2. Select a source environment.
  3. Select a destination environment when the workflow needs comparison, copy, or migration.

FlightIQ remembers the last selected Org Root and environments in browser storage so the same context can be restored after reload.

Access Expectations

The worker app must be allowed to read every domain you expect to view. Write operations require stronger permissions.

Examples:

  • Viewing flows requires DaVinci read access.
  • Copying or updating flows requires DaVinci write access.
  • Viewing or copying forms, templates, attributes, or certificates requires relevant PingOne identity access.
  • Connector and application operations require DaVinci access to the selected environment.

FlightIQ does not elevate privileges beyond what PingOne allows for the configured credentials.

Validation Checklist

Before using a tenant in production-like workflows:

  1. Confirm the environment ID points to the intended PingOne tenant context.
  2. Confirm the worker app is dedicated to FlightIQ.
  3. Confirm the worker app has the minimum required roles.
  4. Confirm Test Backend API Credentials succeeds.
  5. Open a read-only workspace first and verify data loads.
  6. Confirm write access in a non-production environment before using copy, update, delete, or migration actions.

Troubleshooting

Credential Test Fails

Check:

  • Environment ID is valid and belongs to the expected tenant.
  • Client ID is valid.
  • Client secret was copied completely.
  • The worker app is enabled.
  • The grant type and role assignments allow API token minting.

Workspaces Load No Data

Check:

  • The correct Org Root is selected.
  • The source environment is selected.
  • The worker app has access to that environment and domain.
  • Search and filters are cleared.

Write Actions Are Disabled or Fail

Check:

  • The user and worker app have write access for the selected domain.
  • The destination environment is correct.
  • The artifact is not protected by upstream policy constraints.