Get started with Temporal Cloud

Getting started with Temporal Cloud involves a few key steps to ensure your environment is set up correctly. However you're using Temporal, begin the process by covering essential tasks, such as account setup, Namespace creation, authentication configuration, and Worker deployment.

You’ll find links here to help you configure your Temporal Cloud account, authenticate your Clients and Workers, and set up the necessary infrastructure to get your Workflows running efficiently.

To create a Temporal Cloud account, you can:

Sign up on our site; or
Subscribe at the AWS Marketplace for Temporal Cloud Pay-As-You-Go. Signing up through the AWS Marketplace is similar to signing up directly on the Temporal Cloud site, but billing goes through your AWS account.
To purchase Temporal Cloud on the Google Cloud Marketplace, please contact our team at sales@temporal.io.

For information about Temporal Cloud Pricing, see our Pricing Page.

Accept Account Owner permissions

After sign-up, you will receive email from Temporal welcoming you to your new Temporal account. Your email address is now the first Account Owner for your account.

An Account Owner:

Has full administrative permissions across the account, including users, usage, and billing
Has Namespace Admin permissions on all Namespaces in the account

Establish your authentication credentials

Temporal Cloud supports both TLS and API key authentication. The following two sections explain these approaches.

TLS authentication and certificates

For TLS authentication, you must provide your own CA certificates. These certificates are used to create a Namespace, which in turn used grants Temporal Clients and Workers access to it. For certificate requirements, see the following:

API keys

To enable and use API key access, see the following:

Authentication and SDKs

Each SDK has a way to use your CA certificates and private keys to authenticate and authorize access to your Temporal Cloud Namespace.

Create a Namespace

If you don’t have a Namespace yet--or want to create an additional one--create a Namespace in Temporal Cloud using the Temporal Cloud UI or the tcld CLI. If using mTLS authentication, don't forget to follow the step that has you add the CA certificate to the Namespace.

Namespace Setup - Details[+]

How to create a Namespace in Temporal Cloud

info

The user who creates a Namespace is automatically granted Namespace Admin permission for that Namespace.

To create a Namespace, a user must have the Developer, Account Owner, or Global Admin account-level Role.

tip

By default, each account is allocated with a limit of ten Namespaces. As you start using Namespaces by scheduling Workflows, Temporal Cloud automatically raises your allowance. This automatic adjustment happens whenever all your Namespaces are in use, up to a maximum of 100 Namespaces. You can request further increases beyond the 100 Namespace limit by opening a support ticket.

Information needed to create a Namespace

To create a Namespace in Temporal Cloud, gather the following information:

Namespace Name, region, and Cloud Provider
Retention Period for the Event History of closed Workflow Executions.
CA certificate for the Namespace, if you are using mTLS authentication.
Codec Server endpoint to show decoded payloads to users in the Event History for Workflow Executions in the Namespace. For details, see Securing your data.
Permissions for each user.

Web UI
tcld

Create a Namespace using Temporal Cloud UI

Gather the information listed earlier in Information needed to create a Namespace.
Go to the Temporal Cloud UI and log in.
On the left side of the window, click Namespaces.
On the Namespaces page, click Create Namespace in the upper-right portion of the window.
On the Create Namespace page in Name, enter the Namespace Name.
In Cloud Provider, select the cloud provider in which to host this Namespace.
In Region, select the region in which to host this Namespace.
In Retention Period, specify a value from 1 to 90 days. When choosing this value, consider your needs for Event History versus the cost of maintaining that Event History. Typically, a development Namespace has a short retention period and a production Namespace has a longer retention period. (If you need to change this value later, contact Temporal Support.)
Select your authentication method: API keys or mTLS.
If using mTLS authentication, paste the CA certificate for this Namespace.
Optional: In Codec Server, enter the HTTPS URL (including the port number) of your Codec Server endpoint. You may also enable "Pass the user access token with your endpoint" and "Include cross-origin credentials." For details, see Hosting your Codec Server.
Click Create Namespace.

See the tcld namespace create command reference for details.

Invite users

Adding a user to your Temporal Cloud Account dispatches an email invite, which users must accept to join. To add users, see How to invite users to your Temporal Cloud account.

Invite Users - Details[+]

caution

Access to Temporal Cloud can be authorized via Google OAuth single sign-on, Microsoft single sign-on, or SAML, depending on your setup.

If you are using Google OAuth for single sign-on and an email address is not associated with a Google Account, the user must follow the instructions in the Use an existing email address section of Create a Google Account.

Important: Do not create a Gmail account when creating a Google Account.

If your organization uses Google Workspace or Microsoft Entra ID, and your IT administrator has enabled controls over single sign-on permissions, then you will need to work with your IT administrator to allow logins to Temporal Cloud.

When a user is created in Temporal Cloud, they receive an email invitation containing a link. They must use this link to finalize their setup and access Temporal Cloud. Accounts with SAML configurations can ignore this email. However, those using Google or Microsoft for SSO authentication need to follow the email link for their initial login to Temporal Cloud.

info

To invite users, a user must have the Global Admin or Account Owner account-level role.

Roles and permissions

Each user in Temporal Cloud is assigned a role. Each user can be assigned permissions for individual Namespaces.

Web UI
tcld
Cloud Ops API

To invite users using the Temporal Cloud UI:

In Temporal Web UI, select Settings in the left portion of the window.
On the Settings page, select Create Users in the upper-right portion of the window.
On the Create Users page in the Email Addresses box, type or paste one or more email addresses.
In Account-Level Role, select a Role. The Role applies to all users whose email addresses appear in Email Addresses.
If the account has any Namespaces, they are listed under Grant access to Namespaces. To add a permission, select the checkbox next to a Namespace, and then select a permission. Repeat as needed.
When all permissions are assigned, select Send Invite.

Temporal sends an email message to each user. To join Temporal Cloud, a user must select Accept Invite in the message.

Connect to Temporal Cloud

After having updated your Temporal Client and your Workers to use your Temporal Cloud Namespace credentials, you can deploy your Workers, so they are ready to execute your Workflows and Activities:

SDK-specific Worker configuration

Worker quick-starts

Get up and going with focused how-to guides:

Deploy a Temporal Worker on Amazon Elastic Kubernetes Service (EKS) using the Python SDK

Sign up for Temporal Cloud​

Accept Account Owner permissions​

Establish your authentication credentials​

TLS authentication and certificates​

API keys​

Authentication and SDKs​

Create a Namespace​

How to create a Namespace in Temporal Cloud​

Information needed to create a Namespace​

Create a Namespace using Temporal Cloud UI​

Invite users​

Roles and permissions​

Connect to Temporal Cloud​

SDK-specific Worker configuration​

Worker quick-starts​

Sign up for Temporal Cloud