Skip to main content
Version: 1.0.0

User authentication and authorization

Check your docs version

Anyscale is rolling out a new design. If you have preview access to the enhanced experience, use the latest version of the docs and see the migration guide for transitioning.

This page describes user authentication and authorization on Anyscale platform.

Users need to get authenticated to interact with the four interfaces that Anyscale supports:

  • a Web UI, accessible at,
  • a CLI, which can be installed via pip install anyscale,
  • a Python SDK, which is also installed with pip install anyscale, and
  • an HTTP API, which can be used for programmatic access in any language.

Single sign-on

Anyscale supports Single Sign On (SSO) with SAML 2.0 providers. A guide for setting up SSO with common providers can be found here. Integration with SSO identity providers allows Anyscale customers to set more restrictive policies on authentication to the console by implementing password rotation, group policies, and MFA.

CLI Tokens

CLI tokens allow users to programmatically interact with Anyscale. You can fetch a user-specific, persistent token from the Anyscale Web UI and store it for use in development. The default location for clients to reference this token is at ~/.anyscale/credentials.json and is set using the anyscale login CLI command. The token can also be set via the ANYSCALE_CLI_TOKEN environment variable. Ray and Anyscale clients send this token in HTTPS request headers to access Anyscale API calls.

Rotating CLI Tokens

CLI tokens can be rotated in order to revoke all existing tokens. Rotating a token will invalidate all existing tokens and cause subsequent API requests to fail authentication.

  • Collaborators can rotate their own CLI tokens. To rotate and retrieve a new credential, there are two methods:

    • Within the UI, you can rotate your own CLI tokens by navigating to the Credentials page within the console and selecting “Revoke all credentials”.
    • Using the API, you can rotate your own credential by using the Rotate User key API.
  • Owners (users with administrator privileges) can rotate existing user credentials using the Rotate API key for User API by providing a user’s user ID. Note: Users can retrieve a user ID by leveraging this get collaborator API.

Revoke CLI Tokens

Account owners can revoke a user's CLI tokens by removing users from their accounts.