Skip to main content

Access & Security

Protect your Mixpanel organization with enterprise-grade security features including Single Sign-On, Two-Factor Authentication, and domain claiming.

Single Sign-On (SSO)

Users on an Enterprise plan can enable Single Sign-On for authentication. See our pricing page for more details.
Single sign-on (SSO) allows users to log into multiple platforms, services, or systems using a single ID and password combination. Mixpanel supports SSO and works with any SAML 2.0-compliant SSO provider.

Access SSO Settings

You will need to be in the Organization Owner or Admin role to access the SSO settings. To access SSO settings:
  1. Navigate to Organization Settings (gear icon at top-right)
  2. Click on the Access Security tab

Claim a Domain

Claiming a domain will add security to an SSO implementation by allowing only members with a claimed domain in their email address to access Mixpanel. SSO only works on domains that are claimed.
A single domain can be claimed by only one single Mixpanel organization. If you have multiple Mixpanel organizations with separate billing accounts but need to share SSO settings, see the Shared SSO documentation.
To claim a domain:
  1. Click Access Security in your Organization Settings
  2. Click Domain Claiming in the Access Security menu
  3. Click Add a Domain
  4. You will be prompted to enter your Mixpanel password
  5. Enter the domain you wish to claim in the pop-up modal
  6. Click Submit Claim
To claim a domain, add a TXT record to your domain’s DNS records with a verification key provided by Mixpanel. The verification key is available after you submit to claim a domain in your Organization Settings.
It may take up to 24 hours for Mixpanel to verify ownership after you claim a domain.The claimed domain are listed in the Domain Claiming menu. It will appear as pending until it is successfully verified, then indicate as verified after Mixpanel verifies the domain.
For Mixpanel to verify that you own the domain claimed, Mixpanel must detect the verification token in a TXT record in your domain’s DNS.The verification token is available in the Domain Claiming menu after you claim a domain. Use the verification token in the TXT record that you add to your domain’s DNS record.Add mixpanel-domain-verify=<your-token> as the TXT record.
You will need to leave the verification token in your DNS records permanently, or the domain will unverify after a week. Only remove the verification token TXT record from domains with which you no longer wish to use SSO.

Set Up Your Identity Provider (IDP)

You must configure your Identity Provider to connect to Mixpanel in order to use SSO if you are not using custom built SSO.
Set up SSO with Okta using the “Mixpanel” app within the OIN or by configuring a custom app in Okta. See the Okta configuration instructions.
OneLogin only requires that you get the Postback URL. The “Mixpanel” application is in the OneLogin application store and supports auto-provisioning. You will just need to copy a SCIM token from Mixpanel into the provisioning token box in the OneLogin app.
Google has an official integration with Mixpanel with instructions here. Unfortunately, we do not have an auto-provisioning integration with G-Suite. You will need to rely on Just In Time Provisioning.
See the Azure configuration instructions. Azure also has an auto-provisioning integration with Mixpanel which you can find more info here.
It is possible to set up Mixpanel SSO with IDPs not listed above. Contact support for further assistance in such cases.

Postback URL

You likely will need to provide your IDP with a postback URL. The postback URL is accessible from the Access Security menu. To obtain your postback URL:
  1. Navigate to Access Security in your Organization Settings
  2. Toggle on the Single Sign-On button
  3. Copy the postback URL displayed

SAML Certificate

This needs to be a .cert or .pem file for a valid X509 certificate.
  • XML files are not valid. If you have downloaded an .xml file from your IDP, it will not work
  • This certificate will expire after some number of years. At the moment we do not send any notifications when it is about to expire. Please make sure you have a system set up to cycle your certificate every so often if you wish to avoid disruption

Require Users to Log In Using SSO

Optionally toggle on Require Single Sign-On to require your users to log in using SSO and to prevent your users from logging in using a username and password.
  • Organization Owners and Admins will still be able to log in using username and password in the case that SSO is not set up correctly
  • External users (with an email of an unclaimed domain) who were invited to projects will still be able to log in using username and password

IDP Managed Access

This feature determines whether you are using your IDP to manage which users should be allowed in the organization or whether you are using the IDP purely as an authentication method and want to leave user management within Mixpanel. If you enable this feature:
  • All users of your verified claimed domain(s) who log into Mixpanel will be prompted to use SSO, whether they are in your organization or not
  • If they successfully log in through your SSO setup, they will be automatically added to the organization with no permissions except those granted to all users (JIT provisioning)
  • It will also redirect anyone signing up for a Mixpanel account with your claimed domain or anyone requesting access to a project in your organization to log in via SSO first
We recommend enabling IDP Managed Access for most customers.
To enable:
  1. Go to Access Security tab in Organization Settings
  2. Toggle on IDP Managed Access at the bottom
  3. The toggle is purple when enabled

Just in Time Provisioning

Just in Time (JIT) provisioning using SAML will let users sign in automatically upon the initial login event. This removes the need for organization admin to invite individual users to an Organization. This is part of the IDP Managed Access feature. To use JIT provisioning:
  1. Go to Access Security
  2. Toggle on the IDP Managed Access toggle (purple when enabled)
Users added through the IDP will have first names and last names populated by the firstName and lastName profile attributes provided via SAML at login time. These users will also have no roles to start off except those given to all users in your organization. To give these provisioned users default access to projects, invite All Users in the Organization to the project.

SCIM

Only accounts with an Enterprise plan have access to SCIM.
The SCIM menu in the Access Security tab lets you generate a token used to hit the SCIM endpoints.
Remember to save this token, as you will see it only once.
You can find the official SCIM spec subset that Mixpanel implements here. The base endpoint is https://mixpanel.com/api/app/scim/v2 which you can hit using the SCIM token as an Authentication Bearer token. Example: A GET call on https://mixpanel.com/api/app/scim/v2/Users using the SCIM token will get you a list of all users in your organization.
The SCIM endpoint affects only users whose email has a domain in the list of your verified claimed domains.
While you can hit the SCIM endpoints directly, the most common use case would be to use it for auto-provisioning within an IDP that has an integration with Mixpanel provisioning. This will let your IDP and Mixpanel stay in sync. IDPs that currently have an auto-provisioning integration with Mixpanel:
  • Okta
  • OneLogin
  • Azure
If you wish to revoke your SCIM Provisioning token, you can generate a new one which will kill the previous token.
We recommend enabling IDP Managed Access when using SCIM; otherwise, your IDP and Mixpanel can get out of sync.

Remove SSO Configuration

If you need to remove all of your SSO configuration, you can do so with the “Remove SSO Configuration” button. This option is available if you had previously configured SSO and then disabled SSO. This will clear the settings and SAML certificate, as well as entries that facilitate the SSO process.
Removing SSO Configuration is permanent and cannot be undone.

Two-Factor Authentication (2FA)

Two-factor authentication (2FA) is a security process that requires users to provide two different authentication factors, such as passwords or tokens, to verify their identity.

Enable 2FA for Your Organization

If you are an organization admin, you can enable two-factor authentication:
  1. In your “Organization Settings”, select Access Security
  2. In “Two Factor Authentication”, click the toggle to enable (purple when enabled) or disable (gray)
  3. The “Verify Mixpanel password” box will appear
  4. Enter your password and click Confirm to finalize changes
If your organization has SSO enabled, your organization will not have access to 2FA.
If you do not have a password because you use Magic Link or Google Sign In, please go to your personal settings to set up your password.

Setting Up Your 2FA Method

Once two-factor authentication has been enabled for your organization, an individual member of your organization can set up two-factor authentication via the methods below.
On their second login, Mixpanel Users will be prompted to set up two-factor authentication via an authentication app.Authentication App:
  1. Select the authentication app option and ensure you have your preferred authentication app downloaded. We recommend using apps such as Google Authenticator, Authy and Microsoft Authenticator
  2. Scan the QR code via your Authentication App to complete the setup
  3. If you are unable to scan the QR code, click on “Can’t scan QR code?” for a two-factor secret to set up your authentication app manually
  4. Before you log in to Mixpanel, download or copy your recovery codes. These are essential for you to log in if you happen to lose your phone
This is the only location you can save your recovery codes, please ensure you save them in a safe place.
An individual user can also set up their two-factor authentication via their personal settings.
  1. Go to the settings icon > personal settings > your profile
  2. Click on “Set Up Method”
  3. You will be asked to log out in order to set up two-factor authentication
  4. Log in to Mixpanel and follow the setup process

Changing Your 2FA Method

An individual user can switch between different authentication apps for their two-factor authentication method via their personal setting (e.g., Authy to Google Authenticator).
Changing your two-factor method will reset it.
To switch methods:
  1. Go to settings cog > personal settings > your profile
  2. Click “Change Method
  3. To change your method, log out and log back in to Mixpanel to start the setup process for your new authentication method

Login via Backup Methods

If you are unable to log in due to two-factor authentication because you lost your phone, we have backup methods you can use.
Contact support if none of these backup methods work for you.
If an authentication app is your preferred method of authentication, you can login via your saved recovery codes if you don’t have access to your phone.
  1. Click on “Need help? Use a recovery code to sign in”
  2. Enter your recovery code and click “Login”
If you use all your recovery codes, you will be asked to reset your two-factor authentication method on your next login.

Resetting 2FA for Users

As an organization admin, you can reset two-factor authentication (2FA) for users within your organization.
  1. Navigate to the Access Security section within your “Organization Settings”
  2. Click on the 2FA tab
  3. Select the users whose 2FA needs to be reset
  4. Click Reset Two-Factor Authorization
This will reset their two-factor authentication, allowing them to set up 2FA again the next time they log in.

Login Methods

Mixpanel supports various login methods to provide flexibility and security for accessing your account.

Available Login Methods

The traditional method of logging in with your email address and password. Users can create a password when they first sign up or can reset their password if forgotten.
Sign in to Mixpanel using your existing Google account. This provides a seamless login experience if you’re already signed in to Google.
For Enterprise customers, SSO allows you to use your organization’s identity provider to authenticate users. This provides centralized access control and enhanced security.

Security Best Practices

Critical Security Recommendations:
  1. Enable 2FA: Always enable two-factor authentication for an additional layer of security
  2. Use Strong Passwords: If using email/password login, ensure passwords are strong and unique
  3. Regular Reviews: Regularly review user access and remove users who no longer need access
  4. Claim Your Domain: If using SSO, claim your domain to prevent unauthorized access
  5. Monitor Access: Keep track of who has access to your organization and their permission levels
When creating a password for Mixpanel:
  • Minimum length requirements
  • Combination of uppercase and lowercase letters
  • Include numbers and special characters
  • Avoid common passwords
  • Don’t reuse passwords from other services
Mixpanel sessions are managed securely:
  • Sessions expire after a period of inactivity
  • You can log out from all devices
  • SSO sessions are managed by your identity provider
  • 2FA is required at each login when enabled

Access Control Best Practices

Principle of Least Privilege

Grant users the minimum level of access required to perform their job functions:
  • Consumers for users who only need to view reports
  • Analysts for users who need to create and save reports
  • Admins for users who need to manage settings and users
  • Owners for users who need full control

Regular Access Audits

Perform regular audits of user access:
  1. Review user list monthly
  2. Remove users who have left the organization
  3. Adjust permissions as roles change
  4. Document access decisions

Service Accounts

For API access and integrations:
  • Create service accounts instead of using personal accounts
  • Grant service accounts only the permissions they need
  • Rotate service account credentials regularly
  • Document what each service account is used for

Data Classification

Use data classification features to protect sensitive information:
  • Mark sensitive properties as classified
  • Grant classified data access only to users who need it
  • Use Data Views to segment access to different data sets
  • Regularly review who has access to classified data

Compliance and Auditing

Audit Logs

Mixpanel maintains audit logs for security-relevant events:
  • User login and logout events
  • Permission changes
  • Project modifications
  • Data exports
Contact your account manager for information about accessing detailed audit logs for your organization.

Compliance Certifications

Mixpanel maintains various security and compliance certifications:
  • SOC 2 Type II
  • GDPR compliance
  • CCPA compliance
  • ISO 27001
For more information, see our Privacy & Compliance documentation.

Build docs developers (and LLMs) love

Get started for freeTalk to us