Skip to main content

User authentication and authorization

This page describes user authentication and authorization on Anyscale platform.

Users need to get authenticated to interact with the four interfaces that Anyscale supports:

  • a Web UI, accessible at,
  • a CLI, which can be installed via pip install anyscale,
  • a Python SDK, which is also installed with pip install anyscale, and
  • an HTTP API, which can be used for programmatic access in any language.

Singe sign-on

Anyscale supports Single Sign On (SSO) with SAML 2.0 providers. A guide for setting up SSO with common providers can be found here. Integration with SSO identity providers allows Anyscale customers to set more restrictive policies on authentication to the console by implementing password rotation, group policies, and MFA.

CLI Tokens

CLI tokens allow users to programmatically interact with Anyscale. You can fetch a user-specific, persistent token from the Anyscale Web UI and store it for use in development. The default location for clients to reference this token is at ~/.anyscale/credentials.json and is set using the anyscale auth set CLI command. The token can also be set via the ANYSCALE_CLI_TOKEN environment variable. Ray and Anyscale clients send this token in HTTPS request headers to access Anyscale API calls.

Rotating CLI Tokens

CLI tokens can be rotated in order to revoke all existing tokens. Rotating a token will invalidate all existing tokens and cause subsequent API requests to fail authentication.

  • Collaborators can rotate their own CLI tokens. To rotate and retrieve a new credential, there are two methods:
    • Within the UI, you can rotate your own CLI tokens by navigating to the Credentials page within the console and selecting “Rotate API Credential”.
    • Using the API, you can rotate your own credential by using the Rotate User key API.

Revoke CLI Tokens

Account owners can revoke a user's CLI tokens by removing users from their accounts.