Skip to main content

OAuth Authentication for Client API

OAuth is the recommended authentication method for Client API integrations. It allows you to use access tokens from your existing identity provider without managing additional tokens.

OAuth Benefits

  • No token management - Use existing identity provider tokens
  • Full API access - No scope restrictions like Glean tokens
  • Provider flexibility - Works with Google, Azure, Okta, OneLogin
  • Enterprise security - Leverages your existing auth infrastructure
warning

OAuth authentication is only supported for Client API. Indexing API operations require Glean-issued tokens.


Authentication Headers

OAuth requests require these specific headers:

Authorization: Bearer <oauth_access_token>
X-Glean-Auth-Type: OAUTH

Header Details

HeaderDescriptionExample Value
AuthorizationBearer token from your OAuth providerBearer eyJ0eXAiOiJKV1Q...
X-Glean-Auth-TypeRequired to specify OAuth authenticationOAUTH

Quick Setup Overview

1

Configure your identity provider

Set up OAuth application in Google Workspace, Azure, Okta, or OneLogin

2

Enable OAuth in Glean

Navigate to Client API Settings and enable OAuth

3

Register your Client ID

Add your OAuth application's Client ID to Glean's configuration

4

Use OAuth tokens

Include Authorization and X-Glean-Auth-Type headers in your requests


Prerequisites

Before setting up OAuth authentication:

  • Admin access to Glean's admin console
  • Identity provider account (Google Workspace, Azure, Okta, or OneLogin)
  • OAuth application configured in your identity provider

Provider-Specific Setup

Use the Help Center for detailed identity provider setup steps.


Implementation Examples

Basic Search Request

curl -X POST https://instance-be.glean.com/rest/api/v1/search \
-H 'Authorization: Bearer <oauth_token>' \
-H 'X-Glean-Auth-Type: OAUTH' \
-H 'Content-Type: application/json' \
-d '{
"query": "quarterly reports",
"pageSize": 10
}'

Chat Request

curl -X POST https://instance-be.glean.com/rest/api/v1/chat \
-H 'Authorization: Bearer <oauth_token>' \
-H 'X-Glean-Auth-Type: OAUTH' \
-H 'Content-Type: application/json' \
-d '{
"query": "What are the latest quarterly results?",
"conversationId": "optional-conversation-id"
}'

Token Properties

Understanding OAuth token characteristics:

  • Scope: Full Client API access (not restricted by scopes)
  • User context: Treated as user-permissioned tokens
  • Expiration: Managed by your identity provider
  • API Support: Client API only (Indexing API not supported)
  • Security: Leverages your existing identity provider security

Testing OAuth Authentication

Test Command

curl -X POST https://<instance>-be.glean.com/rest/api/v1/search \
-H 'Authorization: Bearer <OAUTH_TOKEN>' \
-H 'X-Glean-Auth-Type: OAUTH' \
-H 'Content-Type: application/json' \
-d '{"query": "test", "pageSize": 1}'

Expected Response

Successful authentication returns a 200 status with search results:

{
"results": [...],
"trackingToken": "...",
"requestId": "..."
}

Troubleshooting OAuth

Common OAuth Errors

ErrorCauseSolution
Missing X-Glean-Auth-Type headerOAuth header not setAdd X-Glean-Auth-Type: OAUTH header
Invalid token formatMalformed tokenVerify token is valid JWT from your provider
401 UnauthorizedInvalid or expired tokenVerify token is correct and not expired
403 ForbiddenOAuth not enabledContact admin to enable OAuth in Glean settings

Debugging Steps

1

Verify OAuth is enabled

Check that OAuth is enabled in Glean Token Management

2

Confirm headers

Ensure you have both required headers:

  • Authorization: Bearer <oauth_token>
  • X-Glean-Auth-Type: OAUTH
3

Validate token

Verify your OAuth token is valid and not expired

4

Test with simple endpoint

Start with a basic search request before testing complex operations


Best Practices

Security

  • Use HTTPS for all OAuth flows and API requests
  • Validate tokens before making API requests
  • Handle token refresh gracefully in your application
  • Store tokens securely - never commit to version control

Development

  • Test OAuth flow in development environment first
  • Handle errors gracefully - OAuth tokens can expire or be revoked
  • Implement proper logging for OAuth authentication events
  • Monitor token usage through your identity provider

Production

  • Use production OAuth applications - don't use development credentials
  • Implement token caching to reduce identity provider calls
  • Set up monitoring for authentication failures
  • Plan for token rotation and refresh scenarios

Next Steps


Need Help?

  • Admin Setup: Contact your Glean administrator for OAuth configuration
  • Provider Issues: Consult your identity provider documentation
  • API Issues: Check the Client API Reference
  • Community: Join discussions at community.glean.com