OAuth Authentication for Client API
OAuth is the recommended authentication method for Client API integrations. It allows you to use access tokens from your existing identity provider without managing additional tokens.
OAuth Benefits
- No token management - Use existing identity provider tokens
- Full API access - No scope restrictions like Glean tokens
- Provider flexibility - Works with Google, Azure, Okta, OneLogin
- Enterprise security - Leverages your existing auth infrastructure
OAuth authentication is only supported for Client API. Indexing API operations require Glean-issued tokens.
Authentication Headers
OAuth requests require these specific headers:
Authorization: Bearer <oauth_access_token>
X-Glean-Auth-Type: OAUTH
Header Details
Header | Description | Example Value |
---|---|---|
Authorization | Bearer token from your OAuth provider | Bearer eyJ0eXAiOiJKV1Q... |
X-Glean-Auth-Type | Required to specify OAuth authentication | OAUTH |
Quick Setup Overview
Configure your identity provider
Set up OAuth application in Google Workspace, Azure, Okta, or OneLogin
Enable OAuth in Glean
Navigate to Client API Settings and enable OAuth
Register your Client ID
Add your OAuth application's Client ID to Glean's configuration
Use OAuth tokens
Include Authorization
and X-Glean-Auth-Type
headers in your requests
Prerequisites
Before setting up OAuth authentication:
- Admin access to Glean's admin console
- Identity provider account (Google Workspace, Azure, Okta, or OneLogin)
- OAuth application configured in your identity provider
Provider-Specific Setup
Use the Help Center for detailed identity provider setup steps.
- Google Workspace (OIDC): Google (OIDC)
- Azure Entra ID (OIDC): Azure (OIDC)
- Okta (SAML): Okta (SAML)
- OneLogin: Generic SAML guide
Implementation Examples
Basic Search Request
curl -X POST https://instance-be.glean.com/rest/api/v1/search \
-H 'Authorization: Bearer <oauth_token>' \
-H 'X-Glean-Auth-Type: OAUTH' \
-H 'Content-Type: application/json' \
-d '{
"query": "quarterly reports",
"pageSize": 10
}'
Chat Request
curl -X POST https://instance-be.glean.com/rest/api/v1/chat \
-H 'Authorization: Bearer <oauth_token>' \
-H 'X-Glean-Auth-Type: OAUTH' \
-H 'Content-Type: application/json' \
-d '{
"query": "What are the latest quarterly results?",
"conversationId": "optional-conversation-id"
}'
Token Properties
Understanding OAuth token characteristics:
- Scope: Full Client API access (not restricted by scopes)
- User context: Treated as user-permissioned tokens
- Expiration: Managed by your identity provider
- API Support: Client API only (Indexing API not supported)
- Security: Leverages your existing identity provider security
Testing OAuth Authentication
Test Command
curl -X POST https://<instance>-be.glean.com/rest/api/v1/search \
-H 'Authorization: Bearer <OAUTH_TOKEN>' \
-H 'X-Glean-Auth-Type: OAUTH' \
-H 'Content-Type: application/json' \
-d '{"query": "test", "pageSize": 1}'
Expected Response
Successful authentication returns a 200 status with search results:
{
"results": [...],
"trackingToken": "...",
"requestId": "..."
}
Troubleshooting OAuth
Common OAuth Errors
Error | Cause | Solution |
---|---|---|
Missing X-Glean-Auth-Type header | OAuth header not set | Add X-Glean-Auth-Type: OAUTH header |
Invalid token format | Malformed token | Verify token is valid JWT from your provider |
401 Unauthorized | Invalid or expired token | Verify token is correct and not expired |
403 Forbidden | OAuth not enabled | Contact admin to enable OAuth in Glean settings |
Debugging Steps
Verify OAuth is enabled
Check that OAuth is enabled in Glean Token Management
Confirm headers
Ensure you have both required headers:
Authorization: Bearer <oauth_token>
X-Glean-Auth-Type: OAUTH
Validate token
Verify your OAuth token is valid and not expired
Test with simple endpoint
Start with a basic search request before testing complex operations
Best Practices
Security
- Use HTTPS for all OAuth flows and API requests
- Validate tokens before making API requests
- Handle token refresh gracefully in your application
- Store tokens securely - never commit to version control
Development
- Test OAuth flow in development environment first
- Handle errors gracefully - OAuth tokens can expire or be revoked
- Implement proper logging for OAuth authentication events
- Monitor token usage through your identity provider
Production
- Use production OAuth applications - don't use development credentials
- Implement token caching to reduce identity provider calls
- Set up monitoring for authentication failures
- Plan for token rotation and refresh scenarios
Next Steps
Client API Reference
Explore available Client API endpoints that work with OAuth
Search Implementation
Learn advanced search techniques with OAuth authentication
Need Help?
- Admin Setup: Contact your Glean administrator for OAuth configuration
- Provider Issues: Consult your identity provider documentation
- API Issues: Check the Client API Reference
- Community: Join discussions at community.glean.com