Skip to main content

OAuth 2.0

OAuth 2.0 forms the basis for authentication on the platform. This section provides practical guidance for authenticating requests.

For examples of how to perform authentication in a variety of programming languages, see the Client Credentials Grant Examples in the sidebar.

Client Credentials Grant

The most straightforward scenario is machine-to-machine authentication, which is handled with a client credentials grant. In this scenario, a trusted, confidential server uses its own credentials, generally referred to as an app-id and app-secret tuple, to authenticate requests. The server, not Vectara, is responsible for managing authentication and authorization of individual users.

The server behind a publicly-accessible semantic search engine such as Quanta Search should use this strategy.


If you are using Java, please contact us for convenient helper libraries that encapsulate the steps below.

Obtain the JWT Token

In the code snippet below, the token endpoint is <AUTH_URL>/oauth2/token where AUTH_URL is the location of your account's authentication domain. To determine its value, navigate to the Authentication page of the console and select the App Client tab.

Authentication Domain

The client ID is the app_id, and the redirect URI must match the redirect URL configured for the client. Note the peculiarities of the HTTP authorization header: this is per the OAuth 2.0 standard.

The grant type should be client_credentials for App Clients. This auth flow is commonly used for servers that must communicate with the platform. It should be authorization_code for authentication from apps installed on a device, such as web browsers. Finally, refresh_token is used to referesh an expired token.