> ## Documentation Index
> Fetch the complete documentation index at: https://docs.opal.dev/llms.txt
> Use this file to discover all available pages before exploring further.

# Twingate

> Learn how to connect Opal to Twingate to manage access to Twingate groups and resources.

With the Twingate integration, you can manage zero-trust network access through Opal:

* Allow users to request just-in-time access to Twingate groups and resources from the web and Slack
* Set the right resource owners to delegate approvals to those with the most context
* Configure day-one access to Twingate resources with groups from your identity provider
* Automatically escalate and revoke privileged access based on on-call schedules, e.g., [PagerDuty](/integrations/pagerduty-oncall) or [Opsgenie](/integrations/opsgenie)

## Supported resources

| Resource           | Read | Grant and revoke access | Available in Risk Center |
| ------------------ | ---- | ----------------------- | ------------------------ |
| Twingate Groups    | ✔️   | ✔️                      | ✔️                       |
| Twingate Resources | ✔️   | ✔️                      | ✔️                       |

The integration also supports user account [provisioning and deprovisioning](/docs/user-provisioning).

## Requirements

* You must be an Opal admin.
* You must be a Twingate admin with the ability to generate API tokens.

## 1. Generate a Twingate API token

1. Log in to the [Twingate Admin Console](https://www.twingate.com/).
2. Go to **Settings** > **API**.
3. Click **Generate Token**.
4. Enter a label (e.g., `Opal`) and set **Permission Level** to **Read & Write**.
5. Copy the token and store it securely. The token is only displayed once.

## 2. Create a Twingate app in Opal

1. In Opal, go to **Inventory**, click **+ App**, and select **Twingate**.
2. Fill in the following fields:

| Field              | Value                                                                                                                    |
| ------------------ | ------------------------------------------------------------------------------------------------------------------------ |
| App admin          | The team or user that should manage the Twingate app in Opal.                                                            |
| Description        | Let your end users know what they're requesting access to.                                                               |
| Twingate network   | Your Twingate network name. This is the subdomain of your Twingate URL (e.g., `mycompany` for `mycompany.twingate.com`). |
| Twingate API token | The API token you generated in Step 1.                                                                                   |

3. Click **Create**. Opal validates the credentials by connecting to your Twingate network.

## 3. Import Twingate resources

After creating the app, import groups and resources from Twingate into Opal:

1. Go to your Twingate app in **Inventory**.
2. Select **...** > **Import items**.
3. Choose the groups and resources you want to manage through Opal.

Users can now request access to Twingate groups and resources through Opal.

## User provisioning

Opal can automatically provision and deprovision users in Twingate. When provisioning is enabled, users who don't already have a Twingate account are automatically created when they are granted access to a Twingate group or resource. Deprovisioning removes users from Twingate when their access is revoked.

To configure user provisioning:

1. Go to your Twingate app in **Inventory**.
2. Select **Setup** > **Edit**.
3. Under **Provision Twingate users**, select **Provision Twingate users** to enable automatic user creation.
4. Under **Deprovision Twingate users**, select **Deprovision Twingate users** to enable automatic user removal.
5. Click **Save**.

For more details, see [User provisioning](/docs/user-provisioning).