Skip to main content

Authentication

Overview

To ensure security in a production environment, Weaviate instances on Weaviate Cloud Services (WCS) come pre-configured with authentication enabled (except for sandbox instances, where it is optional).

Authentication options

You have two options for authenticating into a WCS instance.

  • Using the account owner's WCS username and password, or
  • Using an API key (recommended method).
Recommendation: Use the API key + a Weaviate client

Generally, we recommend authenticating with the API key, using a Weaviate client (e.g. Python client).

API key permissions

All Weaviate instances with authentication will generate API keys with full admin (read and write) access.

Each paid WCS instance will also come with a read-only API key in addition to the full admin API key.

Access API key(s)

For instances with authentication enabled, the API key(s) can be accessed by clicking the key 🔑 icon:

Instance configuration

That should bring up a screen like this, containing your API key(s) and an authorization header:

WCS key example

Use the API key or the authorization header to authenticate against Weaviate as described below.

Keep your API key secret

Please ensure that your API key is kept secret for security. The above image is for demonstration purposes only.

Steps for authentication

An API key

To authenticate against Weaviate with an API key, each request needs to include the key in its header. The easiest way to do this is with a Weaviate client at instantiation, as shown in the code examples below:

import weaviate

# Instantiate the client with the auth config
client = weaviate.Client(
    url="https://some-endpoint.weaviate.network",  # Replace w/ your endpoint
    auth_client_secret=weaviate.AuthApiKey(api_key="YOUR-WEAVIATE-API-KEY"),  # Replace w/ your Weaviate instance API key
)

This way, every request made using the client will include the API key.

Manually adding the key to the header.

If using a Weaviate client is not possible, you can manually include the API key in the request header as below:

Authorization: Bearer YOUR-WEAVIATE-API-KEY

Replacing YOUR-WEAVIATE-API-KEY with your API key.

WCS username and password

To authenticate against Weaviate with your WCS username and password, each request needs to include the an OpenID Connect (OIDC) token in its header. As with the API key-based authentication, the easiest way to do this is with a Weaviate client at instantiation, by providing your WCS username and password as shown below:

import weaviate

# Instantiate the client with the auth config
client = weaviate.Client(
    url="https://some-endpoint.weaviate.network",  # Replace w/ your endpoint
    auth_client_secret=weaviate.AuthClientPassword(
        username = "WCS_USERNAME",  # Replace w/ your WCS username
        password = "WCS_PASSWORD",  # Replace w/ your WCS password
    ),
)

This way, every request made using the client will include an OIDC token.

Manually adding the key to the header.

If using a Weaviate client is not possible, you can manually include an OIDC token in the request header as below.

Authorization: Bearer TOKEN

Replacing TOKEN with your OIDC token.

Please note that OIDC tokens will periodically expire, so new tokens must be obtained and used. This can be done using the "refresh token", however this is outside the scope of the documentation.

To automate this workflow, we strongly recommend that you use your preferred Weaviate client library for username and password-based authentication.

What OIDC "flow" is this?

This is the "Resource Owner Password Flow" method.

Weaviate console

Automatic authentication for your WCS instances

If you are using the GraphQL console to query WCS instances under the same account, the console will automatically include the relevant credentials for you. In other words, your queries will be automatically authenticated.

If you are querying an external Weaviate instance through the WCS console, you can pass authentication credentials (e.g. your API key) in this format:

Headers tab
{ "Authorization": "Bearer YOUR_API_KEY" }

Pass the credentials as an additional header via the Header tab located towards the bottom of the console:

WCS Headers Authorization Bearer example

This will authenticate your requests against the Weaviate instance.

Resetting credentials

If you would like to reset your credentials for whatever reason, you can do so as follows:

  • To revoke your API key, please contact us directly.
  • To reset your WCS password, you can do so from WCS (click "Sign In" and then "Forgot Password").

Read more

If you are interested, you can read more about authentication below:

More resources

Support & Troubleshooting

All Weaviate users are welcome to join our community Slack and forum.

Additionally, paid customers can also contact support via channels provided during cluster creation and/or on-boarding.

For general contact details please see this page.

Inference API status pages