Authentication
The OpenMetadata API uses JWT (JSON Web Token) authentication. All API requests must include a valid token in theAuthorization header.
Obtaining a Token
There are two ways to obtain an API token:Bot Token (Recommended for Automation)
Bot tokens are ideal for service accounts, CI/CD pipelines, and automated integrations.- Navigate to Settings > Bots in the OpenMetadata UI
- Click Add Bot or select an existing bot
- Under Token, click Generate Token
- Copy and securely store the generated JWT token
Personal Access Token
Personal access tokens are tied to your user account and inherit your permissions.- Click your profile icon in the top-right corner
- Select Access Tokens
- Click Generate New Token
- Set an expiration date and click Generate
- Copy and securely store the token
Personal access tokens cannot be retrieved after creation. Store them securely immediately after generation.
Using the Token
Include the token in theAuthorization header of all API requests:
Examples
Token Example
Token Structure
OpenMetadata JWT tokens contain the following claims:
Example decoded token payload:
Authentication Errors
Error Response Format
Security Best Practices
1
Use Bot Tokens for Automation
Create dedicated bot accounts for each integration rather than using personal tokens.
2
Rotate Tokens Regularly
Set expiration dates on personal access tokens and rotate bot tokens periodically.
3
Apply Least Privilege
Assign only the minimum required roles to bots and service accounts.
4
Store Tokens Securely
Use environment variables or secret managers. Never commit tokens to source control.
5
Monitor Token Usage
Review audit logs to track API usage and detect anomalies.
Environment Variables
For convenience, you can configure authentication using environment variables:SSO Integration
OpenMetadata supports SSO authentication providers for the UI. For API access, you still need to use JWT tokens, but users authenticated via SSO can generate personal access tokens from their profile. Supported SSO providers:- Okta
- Azure AD
- Auth0
- Custom OIDC
- SAML
- LDAP
SSO Configuration
Configure Single Sign-On for your organization