Skip to main content
Version: Latest

User authentication and authorization

Check your docs version

These docs are for the new Anyscale design. If you started using Anyscale before April 2024, use Version 1.0.0 of the docs. If you're transitioning to Anyscale Preview, see the guide for how to migrate.

This page describes user authentication and authorization on Anyscale platform.

Users need to get authenticated to interact with the interfaces that Anyscale supports:

  • a Web UI, accessible at console.anyscale.com,
  • a CLI, which can be installed via pip install anyscale,
  • a Python SDK, which is also installed with pip install anyscale, and
  • a HTTP API, which can be used for programmatic access in any language.
  • an Anyscale Endpoints API, which can be used for Endpoints features such as text generation, fine-tuning, or embedding.

Single sign-on

Anyscale supports Single Sign On (SSO) with SAML 2.0 providers. A guide for setting up SSO with common providers can be found here. Integration with SSO identity providers allows Anyscale customers to set more restrictive policies on authentication to the console by implementing password rotation, group policies, and MFA.

Platform API keys

Platform API keys allow users to programmatically interact with Anyscale Web UI, CLI, Python SDK, and HTTP API. You can fetch a user-specific, persistent key from the Anyscale Web UI and store it for use in development. The default location for the CLI and SDK to reference this key is at ~/.anyscale/credentials.json and is set using the anyscale login CLI command. The key can also be set via the ANYSCALE_CLI_TOKEN environment variable. Ray and Anyscale clients send this key in HTTPS request headers to access Anyscale API calls.

Rotating platform API keys

Platform API keys can be rotated in order to revoke all existing keys. Rotating a token will invalidate all existing keys and cause subsequent API requests to fail authentication.

  • Collaborators can rotate their own Platform API keys. To rotate and retrieve a new credential, there are two methods:

    • Within the UI, you can rotate your own Platform API keys by navigating to the API Keys page within the console, going to the AI Platform tab, and selecting “Revoke all keys”.
    • Using the API, you can rotate your own Platform API key by using the Rotate User key API.

  • Owners (users with administrator privileges) can rotate existing user API keys using the Rotate API key for User API by providing a user’s user ID. Note: Users can retrieve a user ID by leveraging this get collaborator API.

Revoke platform API keys

Account owners can revoke a user's Platform API keys by removing users from their accounts.

Endpoints API keys

Endpoints API keys allow users to programmatically interact with the Anyscale Endpoints API. You can generate a user-specific, persistent key from the Anyscale Web UI and store it for use in development. The key should be sent in the Authorization header.

Revoke Endpoints API keys

Anyone with access to your organization can revoke an Endpoints API key. To Revoke an API key, navigate to the API Keys page, click on the Endpoints API tab, and click on the "Revoke" button next to the key you want to revoke.