Authentication
Configure and implement authentication for Glean Actions to ensure secure integrations
Overview
Glean’s authentication system supports the OAuth 2.0 standard for securing action requests. This guide covers the available authentication types and how to verify requests from Glean.
Authentication Types
OAuth Admin
Requires one-time authorization by the action developer or app admin during setup. After authorization, Glean sends the token for all requests from authorized users.
OAuth User
Requires initial OAuth connection setup by the developer/admin. Users must authorize the action on first use, after which their token is used for subsequent requests.
None
No tokens are provided in the request. Choose this if you don’t require specific tokens from Glean to handle requests.
When using this authentication type, it’s highly recommended to implement request verification to ensure requests are coming from Glean. Without additional protections (e.g., VPN, Firewall), your endpoint would be publicly accessible.
OAuth Configuration
When setting up OAuth (admin or user), you’ll need to configure the following parameters using the OAuth authorization_code grant type:
The client ID for your OAuth application
The client secret for your OAuth application
The URL used to redirect users for authentication
The URL Glean uses to complete OAuth by issuing a POST request with the authorization code
Optional parameter for relevant application scopes. Consider adding offline_access
scope if supported to ensure refresh tokens are sent (reference)
Your OAuth App must be configured to allow redirects (Callback URL) to:
Without this, the OAuth integration may fail or show invalid redirect URI errors.
Request Verification
While optional, implementing request verification is highly recommended to enhance the security of your action server endpoints.
Glean provides a JWT-based signature in the Glean-Actions-Signature
header, signed using RSA-SHA256. The signature can be verified using your Glean instance’s public key.
JWT Claims
The JWT header includes these standard claims:
iat
- Issued at timeexp
- Expiration timeiss
- Issuer (always set to ‘glean’)
Implementation Examples
Was this page helpful?