Skip to main content

Authentication Overview

Glean provides two main authentication methods to access its APIs, each with different capabilities and use cases. This guide will help you understand the concepts and choose the right approach for your integration.

Finding Your Glean Instance

All Glean API requests require specifying your organization's specific Glean instance. The instance identifier is used in API endpoints and API Client/SDK configuration.

How to Find Your Instance

  1. Navigate to the About Page: Visit https://app.glean.com/admin/about-glean in your Glean admin console
  2. Locate Server Instance: Find the "Server instance (QE)" field
  3. Extract Instance Name: Use the portion before -be.glean.com

Example

If your Server instance shows: https://acme-prod-be.glean.com/
Your instance name is: acme-prod

Usage in APIs

Your instance name is used in:

  • API Base URLs:
    • Client API: https://{instance}-be.glean.com/rest/api/v1/
    • Indexing API: https://{instance}-be.glean.com/api/index/v1/
  • API Client/SDK Configuration: Set as GLEAN_INSTANCE environment variable

API Types and Implementation Guides

Glean offers two distinct APIs with different authentication capabilities. Choose your API type to get started:

Client API Authentication

For end-user applications and integrations

  • Search, chat, collections, agents
  • User-facing functionality
  • OAuth (recommended) + Glean tokens
  • Base URL: https://instance-be.glean.com/rest/api/v1/

Implementation Guide →

Indexing API Authentication

For administrative operations and content management

  • Document indexing, datasource management
  • Administrative operations
  • Glean tokens only (no OAuth support)
  • Base URL: https://instance-be.glean.com/api/index/v1/

Implementation Guide →

Authentication Methods

Supported APIs:Client API

OAuth is the recommended method for Client API integrations. It leverages your existing identity provider and provides seamless authentication without managing additional tokens.

  • Supported APIs: Client API only
  • Providers: Google Workspace, Azure, Okta, OneLogin
  • Benefits: No token management, leverages existing auth, full API access

Glean-Issued Tokens

Supported APIs:Client APIIndexing API

Glean-issued tokens are manually created through the admin console and offer granular control over permissions and access.

  • Supported APIs: Both Client API and Indexing API
  • Types: User-scoped, Global (super admin only)
  • Benefits: Granular scope control, works with both APIs

Quick Decision Guide

Which Authentication Method Should I Use?

For Client API integrations:

  • Choose OAuth if you have existing identity provider infrastructure (Google, Azure, Okta, OneLogin)
  • Choose Glean tokens if you need granular scope control or don't have OAuth infrastructure

For Indexing API operations:

  • Must use Glean tokens (OAuth is not supported)

For applications using both APIs:

  • Use OAuth for Client API operations + separate Glean token for Indexing API operations

User Roles and Permissions

Understanding who can create what type of authentication tokens:

RoleClient API OAuthClient API TokensIndexing API Tokens
Super AdminConfigure for allCreate any tokenCreate any token
AdminConfigure for allCreate for any userCannot create
API Token CreatorCannot configureCreate for self onlyCannot create

Security Best Practices

Regardless of which authentication method you choose:

  • Store tokens securely - Never commit tokens to version control
  • Use environment variables for token storage in applications
  • Implement token rotation for long-running applications
  • Monitor token usage through Glean's admin console
  • Use minimal scopes when creating Glean tokens
  • Implement proper error handling for authentication failures

Need Help?

  • Community: Join discussions at community.glean.com
  • Support: Contact your Glean administrator for token creation access
  • Documentation: Detailed implementation guides linked above

Next Steps

  1. Determine your use case: Client API, Indexing API, or both?
  2. Choose authentication method: OAuth (Client API) or Glean tokens
  3. Follow the implementation guide: Use the links above for detailed setup instructions
  4. Test your integration: Verify authentication works before building your application