Deployment Profiles

Desktop and mobile builds are universal. They do not need customer-specific endpoint binaries. A deployment profile tells the client which customer ThinkWork deployment to use before OAuth starts.

Profile Shape

A v1 deployment profile is JSON with these required fields:

{
  "schemaVersion": 1,
  "deploymentId": "thinkwork-tei-e2e",
  "displayName": "ThinkWork",
  "stage": "tei-e2e",
  "region": "us-east-1",
  "accountId": "637423202447",
  "releaseVersion": "v0.1.0-canary.148",
  "releaseManifestUrl": "https://github.com/thinkwork-ai/thinkwork/releases/download/v0.1.0-canary.148/thinkwork-release.json",
  "releaseManifestSha256": "5b154f800b8754d00d0b252772005bd02fc1dbbf6096036597efd700d4d6df93",
  "controller": {
    "stateMachineArn": "arn:aws:states:us-east-1:637423202447:stateMachine:thinkwork-tei-e2e-deployment-orchestrator",
    "stateMachineName": "thinkwork-tei-e2e-deployment-orchestrator",
    "codebuildProjectName": "thinkwork-tei-e2e-deployment-runner",
    "evidenceBucketName": "thinkwork-tei-e2e-637423202447-deploy-evidence",
    "ssmPrefix": "/thinkwork/tei-e2e/deployment",
    "verifiedAt": "2026-06-10T05:39:47.478811+00:00"
  },
  "issuedAt": "2026-06-10T05:39:47.478830+00:00",
  "spacesUrl": "https://d1eqjv7ijcmtqz.cloudfront.net",
  "apiUrl": "https://8puq24dl63.execute-api.us-east-1.amazonaws.com/",
  "graphqlHttpUrl": "https://8puq24dl63.execute-api.us-east-1.amazonaws.com/graphql",
  "appsyncHttpUrl": "https://zp7lxyesvnci7gnhfkqbiye3nm.appsync-api.us-east-1.amazonaws.com/graphql",
  "appsyncWsUrl": "wss://zp7lxyesvnci7gnhfkqbiye3nm.appsync-realtime-api.us-east-1.amazonaws.com/graphql",
  "cognitoDomain": "https://thinkwork-tei-e2e.auth.us-east-1.amazoncognito.com",
  "cognitoUserPoolId": "us-east-1_YlRAfXsE9",
  "cognitoClientId": "5151h0qb3felu6vf4v3l33mvs3",
  "signature": null
}

Production profiles should be signed by a trusted ThinkWork deployment profile key. Unsigned profiles are for development fallback only.

The accountId, release fields, and controller object are optional for older profiles but expected after customer authority transfer. They tell operators which release manifest was installed and which customer-owned Step Functions controller owns future update and teardown operations.

Import Methods

Export the profile from Spaces

Open the deployment profile panel on the customer deployment and copy the JSON or profile link.
Import on desktop

Open the desktop sign-in screen and paste the profile JSON, select a profile file, or open a profile deep link.
Import on mobile

Open the mobile sign-in screen and paste the profile JSON or link. A QR code can point at the same profile link.
Verify before OAuth

The sign-in screen shows display name, stage, region, and trust status. Incomplete config blocks sign-in before OAuth begins.

Changing Deployments

Sign out before replacing or removing a deployment profile. Changing the active profile clears deployment-scoped auth/session/client caches so the next OAuth flow starts against the selected customer deployment.

Malformed replacements do not clear the previous valid profile.

Trust Rules

Profile state	Client behavior
Trusted signature	Allow sign-in and show signing key/trust label.
Unsigned development profile	Allow only in development fallback builds.
Missing required field	Block sign-in and show missing configuration.
Invalid URL or non-TLS endpoint	Block sign-in.
Unknown signing key	Block production sign-in.
Signature mismatch	Block production sign-in.

Support Checks

Confirm schemaVersion is 1.
Confirm Cognito domain, client id, user pool id, AppSync HTTP URL, AppSync WS URL, API URL, and Spaces URL are present.
Confirm URLs are HTTPS/WSS, except explicit localhost development fallback.
Confirm the displayed deployment is the customer deployment the user expects.
Ask the user to sign out before changing profiles.