- Getting started
- Best practices
- Tenant- About the Tenant Context
- Searching for Resources in a Tenant
- Managing Robots
- Connecting Robots to Orchestrator
- Setup Samples
- Storing Robot Credentials in CyberArk
- Setting up Attended Robots
- Setting up Unattended Robots
- Storing Unattended Robot Passwords in Azure Key Vault (read-only)
- Storing Unattended Robot Credentials in HashiCorp Vault (read-only)
- Deleting Disconnected and Unresponsive Unattended Sessions
- Robot Authentication
- Robot Authentication With Client Credentials
- SmartCard Authentication
 
- Audit
 
- Resource Catalog Service
- Folders Context
- Automations
- Processes
- Jobs
- Triggers
- Logs
- Monitoring
- Queues
- Assets
- Storage Buckets
- Orchestrator testing
- Integrations
- Classic Robots
- Troubleshooting

Orchestrator user guide
UiPath provides multiple robot authentication methods, ranging from expiring token authentication to authentication with tokens that never expire. Through robot authentication, Orchestrator verifies the identity of the UiPath Robot that needs to access Orchestrator resources. Validating that identity determines a trust relationship for further interactions.
Always review the available authentication methods before connecting your robots to Orchestrator. Where possible, choose the recommended method that provides the highest level of security.
There are two methods for attended robot authentication: interactive user sign-in and a hybrid option allowing for both user sign-in and machine key connections.
Interactive Sign-in SSO (Recommended)
This option only allows for robot connections with tokens that expire. Users can authenticate their robots only by signing-in with their credentials in the Assistant.
This authentication method requires recompiling the workflows that use Orchestrator activities or make direct HTTP calls to the Orchestrator API utilizing v2020.10 activity packages or higher.
There is a chance job execution will fail if at least one of below dependencies are used in an automation project:
- UiPath.System.Activities < 20.10.0
- UiPath.Persistence.Activities < 1.1.7
- UiPath.DataService.Activities < 20.10.0
- UiPath.Testing.Activities < 1.2.0
Use the Project Dependencies Mass Update Tool in Studio to update process dependencies to versions greater than or equal to those provided above. Test before deploying in production.
Hybrid
This option allows for both connections with tokens that don't expire (machine key) and connections with tokens that expire (interactive sign-in or client credentials). Users have the option to sign-in with their credentials to authenticate their robots, which in turn allows them to connect Studio and the Assistant to Orchestrator, however it is not mandatory.
Comparison Interactive Sign-in SSO/Hybrid
| Interactive Sign-in SSO (Recommended) | Hybrid | |
|---|---|---|
| Sign in option in the Assistant | Yes | Yes | 
| Requires workflow recompiling | Yes | No | 
| Requires machine object | No | Yes | 
| Supported in classic folders | No | Yes | 
There are two methods for unattended robot authentication: client credentials and a hybrid option allowing for both client credentials and machine key connections.
In unattended automation, the host machine is connected and licensed in unattended mode so the designated way to execute processes is Orchestrator. If you want to use the machine in attended mode (opening the Assistant) when Interactive Sign-In is enforced, you need to sign in, otherwise you cannot see the processes in the Assistant, and the robot appears as "Connected, Unlicensed".
Client Credentials (Recommended)
This option only allows for connections with tokens that expire. It uses the OAuth 2.0 framework as the basis for the authentication protocol, meaning unattended robots can connect to Orchestrator with a client ID - client secret pair generated via machine template objects. The client ID - client secret pair generates a token that authorizes the connection between the robot and Orchestrator and provides the robot with access to Orchestrator resources.
The admin has the option to revoke access at any time by deleting the secret employed on that machine.
Hybrid
This option allows for both connections with tokens that don't expire (machine key) and connections with tokens that expire (client credentials).