Skip to content

Commit 117520d

Browse files
Update from code changes: document Enterprise OAuth authentication (#290)
* docs: document OAuth authentication for Enterprise remote connections * docs: add TypeScript OAuth examples to Enterprise authentication page * Update docs/enterprise/authentication.mdx --------- Co-authored-by: mintlify[bot] <109931778+mintlify[bot]@users.noreply.github.com> Co-authored-by: Prashanth Rao <35005448+prrao87@users.noreply.github.com>
1 parent 07ca7c9 commit 117520d

2 files changed

Lines changed: 142 additions & 0 deletions

File tree

docs/docs.json

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -49,6 +49,7 @@
4949
"enterprise/index",
5050
"enterprise/architecture",
5151
"enterprise/security",
52+
"enterprise/authentication",
5253
"enterprise/benchmarks",
5354
{
5455
"group": "Deployment",

docs/enterprise/authentication.mdx

Lines changed: 141 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,141 @@
1+
---
2+
title: "Authentication"
3+
sidebarTitle: "Authentication"
4+
description: "Authentication modes for LanceDB Enterprise with an API key or OAuth credentials."
5+
icon: "key"
6+
keywords: ["authentication", "oauth", "api key", "azure managed identity", "client credentials"]
7+
---
8+
9+
LanceDB Enterprise supports two ways for clients to authenticate against a `db://` remote table:
10+
11+
- **API keys** — a long-lived shared secret passed as `api_key` on connect. Works in every SDK.
12+
- **OAuth 2.0** — short-lived bearer tokens obtained from your identity provider, refreshed automatically by the client.
13+
14+
OAuth is the recommended option when you want to rotate credentials centrally, plug into an existing identity provider, or run on Azure with managed identities so no secret material lives on the client.
15+
16+
## API key
17+
18+
Pass the API key from your Enterprise tenant on `connect`. This works with both the synchronous and asynchronous Python clients, as well as TypeScript and Rust.
19+
20+
```python Python icon="python"
21+
import lancedb
22+
23+
db = lancedb.connect(
24+
uri="db://your-database-uri",
25+
api_key="your-api-key",
26+
region="us-east-1",
27+
host_override="https://your-enterprise-endpoint.com",
28+
)
29+
```
30+
31+
## OAuth
32+
33+
The async Python client and the TypeScript client can obtain bearer tokens from an OIDC issuer and attach them to every request. Token acquisition, caching, and refresh are handled inside the client — your application code only provides the configuration.
34+
35+
<Info>
36+
In Python, OAuth is supported through `lancedb.connect_async`. The synchronous `connect` entry point continues to use API key authentication for `db://` URIs. In TypeScript, `lancedb.connect` accepts `oauthConfig` directly.
37+
</Info>
38+
39+
### Supported flows
40+
41+
`OAuthFlowType` selects how the client acquires tokens:
42+
43+
| Flow | Python value | TypeScript value | When to use |
44+
| --- | --- | --- | --- |
45+
| Client Credentials | `OAuthFlowType.CLIENT_CREDENTIALS` | `OAuthFlowType.ClientCredentials` | Service-to-service / machine-to-machine. Requires a client ID and client secret registered with your identity provider. |
46+
| Azure Managed Identity | `OAuthFlowType.AZURE_MANAGED_IDENTITY` | `OAuthFlowType.AzureManagedIdentity` | Workloads running on Azure compute (VMs, AKS, App Service, Container Apps). Tokens are fetched from the Azure IMDS endpoint, so no client secret is stored on the client. |
47+
48+
### Configure OAuth
49+
50+
Build an OAuth config and pass it on connect. Use `oauth_config` in Python and `oauthConfig` in TypeScript.
51+
52+
<CodeGroup>
53+
```python Python icon="python"
54+
import lancedb
55+
from lancedb.remote import OAuthConfig, OAuthFlowType
56+
57+
# Client Credentials (service-to-service)
58+
oauth_config = OAuthConfig(
59+
issuer_url="https://login.microsoftonline.com/{tenant}/v2.0",
60+
client_id="your-application-client-id",
61+
client_secret="your-application-client-secret",
62+
scopes=["api://lancedb-api/.default"],
63+
flow=OAuthFlowType.CLIENT_CREDENTIALS,
64+
)
65+
66+
db = await lancedb.connect_async(
67+
uri="db://your-database-uri",
68+
region="us-east-1",
69+
host_override="https://your-enterprise-endpoint.com",
70+
oauth_config=oauth_config,
71+
)
72+
```
73+
74+
```typescript TypeScript icon="square-js"
75+
import * as lancedb from "@lancedb/lancedb";
76+
import { OAuthConfig, OAuthFlowType } from "@lancedb/lancedb";
77+
78+
// Client Credentials (service-to-service)
79+
const oauthConfig: OAuthConfig = {
80+
issuerUrl: "https://login.microsoftonline.com/{tenant}/v2.0",
81+
clientId: "your-application-client-id",
82+
clientSecret: "your-application-client-secret",
83+
scopes: ["api://lancedb-api/.default"],
84+
flow: OAuthFlowType.ClientCredentials,
85+
};
86+
87+
const db = await lancedb.connect("db://your-database-uri", {
88+
region: "us-east-1",
89+
hostOverride: "https://your-enterprise-endpoint.com",
90+
oauthConfig,
91+
});
92+
```
93+
</CodeGroup>
94+
95+
For workloads running on Azure compute, use a managed identity instead of a client secret:
96+
97+
<CodeGroup>
98+
```python Python icon="python"
99+
from lancedb.remote import OAuthConfig, OAuthFlowType
100+
101+
oauth_config = OAuthConfig(
102+
issuer_url="https://login.microsoftonline.com/{tenant}/v2.0",
103+
client_id="your-application-client-id",
104+
scopes=["api://lancedb-api/.default"],
105+
flow=OAuthFlowType.AZURE_MANAGED_IDENTITY,
106+
# Optional: required only for user-assigned managed identities.
107+
managed_identity_client_id="your-user-assigned-identity-client-id",
108+
)
109+
```
110+
111+
```typescript TypeScript icon="square-js"
112+
import { OAuthConfig, OAuthFlowType } from "@lancedb/lancedb";
113+
114+
const oauthConfig: OAuthConfig = {
115+
issuerUrl: "https://login.microsoftonline.com/{tenant}/v2.0",
116+
clientId: "your-application-client-id",
117+
scopes: ["api://lancedb-api/.default"],
118+
flow: OAuthFlowType.AzureManagedIdentity,
119+
// Optional: required only for user-assigned managed identities.
120+
managedIdentityClientId: "your-user-assigned-identity-client-id",
121+
};
122+
```
123+
</CodeGroup>
124+
125+
### Configuration reference
126+
127+
The same configuration is available in both SDKs. Python uses `snake_case` field names; TypeScript uses `camelCase`.
128+
129+
| Python field / TypeScript field | Required | Description |
130+
| --- | --- | --- |
131+
| `issuer_url` / `issuerUrl` | Yes | OIDC issuer URL or OAuth authority URL. For Azure, use `https://login.microsoftonline.com/{tenant_id}/v2.0`. |
132+
| `client_id` / `clientId` | Yes | Application / client ID registered with your identity provider. |
133+
| `scopes` | Yes | List of OAuth scopes to request. For Azure managed identity, provide exactly one scope or resource, for example `["api://your-app-id/.default"]`. |
134+
| `flow` | No | Selects the OAuth flow. Defaults to Client Credentials. |
135+
| `client_secret` / `clientSecret` | Conditional | Required for Client Credentials. Redacted from the config's `repr` (Python) and `Debug` output (TypeScript native binding) so it does not leak into logs. |
136+
| `managed_identity_client_id` / `managedIdentityClientId` | No | Client ID of a user-assigned managed identity. Only used with Azure Managed Identity; omit for system-assigned identities. |
137+
| `refresh_buffer_secs` / `refreshBufferSecs` | No | How many seconds before token expiry to proactively refresh. Defaults to 300. Keep this well below the token TTL — setting it greater than or equal to the TTL forces a refresh on every request. |
138+
139+
<Warning>
140+
Treat the client secret like any other production credential. Load it from a secret manager or environment variable rather than committing it to source control. Both SDKs deliberately omit the secret from their debug/repr output so accidental log lines do not expose the value.
141+
</Warning>

0 commit comments

Comments
 (0)