Machine-to-Machine OAuth Clients

Before you begin

Only users with the Server Admin role can create machine-to-machine OAuth clients in Alation

Generating Client ID and Client Secret

1. Navigate to https://your-alation-instance.alationcloud.com/admin/auth/
2. Scroll down until you find OAuth Client Applications
3. Click on Add
4. Give it a Name, set the Access Token Duration (in seconds, min 5 mins, max 72 hours)
5. Select a System User Role - this will determine the permissions the OAuth client will have when accessing Alation resources. Always follow the principle of least privilege and only assign the minimum role necessary for the client to perform its tasks.
6. On clicking save, the Client ID and Client Secret will be generated. Make sure to copy and securely store the Client Secret as it will not be shown again.

Security Note

The client_secret is a sensitive credential, they do not expire automatically and need to be rotated periodically based on your organization’s security policies. Ensure it is stored securely and not exposed in client-side code or public repositories.

Generating JWT Access Tokens

Once you have the client_id and client_secret, you can generate the JWT access token using the following steps:

curl --request POST \
     --url https://your-alation-instance.alationcloud.com/oauth/v2/token/ \
     --header 'accept: application/json' \
     --header 'content-type: application/x-www-form-urlencoded' \
     --data grant_type=client_credentials \
     --data client_id=<client-id from above step> \
     --data client_secret=<client-secret from above step>

The response will contain a JWT token that’s valid for the duration you specified when creating the OAuth client. This can be used to access the REST APIs or the MCP server.

Usage in Production Systems

To ensure unattended flows work seamlessly in production systems, implement a step/node that will fetch a new Access Token using the above curl command before making any API calls.

This ensures that your system always has a valid token and can handle token expiration gracefully.

Token Revocation

Generating a new Access Token automatically invalidates the previous token. Ensure that your application logic accounts for this to avoid using stale tokens.

Configuring Data Warehouse Credentials

When using M2M authentication with agents or tools that execute SQL queries, you must configure data warehouse credentials for each data product you want to query. This is a one-time setup per data product.

Create credentials

After obtaining your access token, configure credentials for your data product:

curl -X POST "https://your-alation-instance.alationcloud.com/api/v2/auth/credentials/" \
  -H "Authorization: Bearer <access_token>" \
  -H "Content-Type: application/json" \
  -d '{
    "state": "unique_identifier",
    "username": "your_datasource_username",
    "password": "your_datasource_password",
    "dp_id": "YOUR_DATA_PRODUCT_ID"
  }'

Parameter	Description
state	A unique identifier for this credential configuration
username	Username for the data warehouse
password	Password for the data warehouse
dp_id	The Data Product ID to associate these credentials with

Once configured, credentials are automatically used when calling SQL-executing agents (Query, Data Product Query, Analytics, Chart Generation) or tools (SQL Execution, Get Data Schema).

Other authentication modes

If you need a different authentication mode apart from username and password, please reach out to us directly.