> ## Documentation Index > Fetch the complete documentation index at: https://docs.nebius.com/llms.txt > Use this file to discover all available pages before exploring further. # Authentication in the Nebius AI Cloud API For authentication, use an [access token](../iam/authorization/access-tokens). Include it in the HTTP header `Authorization: Bearer `. The authentication process differs for a [user account and a service account](../iam/overview#accounts-and-members). ## Authentication for a user account 1. [Install](/cli/install) and [configure](/cli/configure) the Nebius AI Cloud CLI. 2. Create an access token: ```bash theme={null} nebius iam get-access-token ``` An access token is valid for 12 hours. After it expires, create a new one. 3. Add the token to your API request. For example: ```bash theme={null} grpcurl -H "Authorization: Bearer " \ cpl.iam.api.nebius.cloud:443 \ nebius.iam.v1.ProfileService/Get ``` ## Authentication for a service account To authenticate a service account, create an [authorized key](../iam/service-accounts/authorized-keys) for it and then convert this key into an access token by using a [JSON Web Token](https://www.jwt.io/introduction). Next, use the obtained access token for the authentication. ### Steps #### Prepare a service account 1. [Create a service account](../iam/service-accounts/manage) if you have not already. 2. [Add the service account to a group](../iam/authorization/groups/members) to grant it necessary permissions. In most cases, a group with the `editor` role should be enough; add the account to a group with the `admin` role only if you want to manage other accounts' group memberships through the API. Learn more about [groups](../iam/authorization/groups) and their [permissions](../iam/authorization/roles). #### Prepare an authorized key 1. Create an authorized key: ```bash theme={null} openssl genrsa -out private.pem 4096 && \ openssl rsa -in private.pem -outform PEM -pubout -out public.pem ``` This command creates the `public.pem` and `private.pem` certificates in a local directory. 2. Upload the key to the service account profile: 1. In the [web console](https://console.nebius.com), go to **Administration** → **IAM**. 2. Open the **Service accounts** tab. 3. Open the page of the required service account. 4. Click **Upload authorized key**. 5. Click **Attach file** and then select `public.pem`. 6. (Optional) Set an expiration date. 7. Click **Upload key**. The key is displayed on the **Authorized keys** tab. ```bash theme={null} nebius iam auth-public-key create \ --account-service-account-id \ --data "$(cat )" \ --expires-at ``` The command contains the following parameters: * `--account-service-account-id`: Service account ID. To get it, run nebius iam service-account list or nebius iam service-account get-by-name --name \. * `--data`: Contents of the `public.pem` file created earlier. * `--expires-at` (optional): Expiration date of the authorized key. ```yaml theme={null} metadata: created_at: "2025-08-22T09:37:07.023669Z" id: publickey-*** parent_id: project-*** spec: account: service_account: id: serviceaccount-*** data: | -----BEGIN PUBLIC KEY----- ... -----END PUBLIC KEY----- expires_at: "2025-12-31T02:30:59Z" status: algorithm: RSA fingerprint: a4c4*** key_size: 4096 state: ACTIVE ``` 3. From the service account page, copy and save the account ID and the authorized key ID. You need them for the JSON Web Token. #### Create a JSON Web Token 1. [Install jwt-cli](https://github.com/mike-engel/jwt-cli?tab=readme-ov-file#installation), the CLI for the JSON Web Token management. 2. Create the JSON Web Token: ```bash theme={null} jwt encode \ --alg RS256 \ --kid \ --iss \ --sub \ --exp="$(date --date="+5minutes" +%s 2>/dev/null || date -v+5M +%s)" \ --secret @ ``` In the command, specify the copied authorized key ID and the service account ID. Also, specify the current path to the `private.pem` file created earlier. The JSON Web Token is based on the RS256 signing algorithm. The token expires five minutes after its creation. The lifetime is short because the JSON Web Token is only used to create an access token. #### Get an access token 1. To exchange the JSON Web Token for an access token, send the following API request: ```bash theme={null} grpcurl -d '{ "grantType": "urn:ietf:params:oauth:grant-type:token-exchange", "requestedTokenType": "urn:ietf:params:oauth:token-type:access_token", "subjectToken": "", "subjectTokenType": "urn:ietf:params:oauth:token-type:jwt" }' \ tokens.iam.api.nebius.cloud:443 \ nebius.iam.v1.TokenExchangeService/Exchange ``` Specify the JSON Web Token in the request. The output is the following: ```json theme={null} { "accessToken": "", "issuedTokenType": "urn:ietf:params:oauth:token-type:access_token", "tokenType": "Bearer", "expiresIn": "43200" } ``` The access token expires 12 hours after its creation. The `expiresIn` value from the output is specified in seconds. 2. Add the token to your API request. For example: ```bash theme={null} grpcurl -H "Authorization: Bearer " \ cpl.iam.api.nebius.cloud:443 \ nebius.iam.v1.ProfileService/Get ```