Authorization: Bearer <access_token>.
The authentication process differs for a user account and a service account.
Authentication for a user account
- Install and configure the Nebius AI Cloud CLI.
-
Create an access token:
An access token is valid for 12 hours. After it expires, create a new one.
-
Add the token to your API request. For example:
Authentication for a service account
To authenticate a service account, create an authorized key for it and then convert this key into an access token by using a JSON Web Token (JWT). Next, use the obtained access token for authentication.Prepare a service account
- Make sure you are in a group that has the
adminrole within your tenant or project; for example, the defaultadminsgroup. You can check this in the Administration → IAM section of the web console. - Create a service account if you haven’t already.
- Add the service account to a group to grant it necessary permissions. In most cases, a group with the
editorrole should be enough; add the account to a group with theadminrole only if you want to manage other accounts’ group memberships through the API. Learn more about groups and their permissions.
Prepare an authorized key
-
Create an authorized key:
This command creates the
public.pemandprivate.pemkey files in a local directory. -
Upload the key to the service account profile:
- Web console
- CLI
- In the web console, go to
Administration → IAM.
- Open the Service accounts tab.
- Open the page of the required service account.
- Click
Upload authorized key.
- Click
Attach file and then select
public.pem. - (Optional) Set an expiration date.
- Click Upload key.
- Copy and save the account ID and the authorized key ID. You need them for the JWT.
Create a JWT
- Install jwt-cli, the CLI for JWT management.
-
Create the JWT:
The command returns the JWT as a string. Use this value as
subjectTokenin the token exchange request. In the command, specify the copied authorized key ID and the service account ID. Also, specify the current path to theprivate.pemfile created earlier. The JWT is based on the RS256 signing algorithm and expires five minutes after its creation. The lifetime is short because the JWT is only used to create an access token.
Get an access token
-
To exchange the JWT for an access token, send the following API request:
Specify the JWT in the request. The output is the following:The access token expires 12 hours after its creation. The
expiresInvalue from the output is specified in seconds. -
Add the token to your API request. For example: