Skip to main content
LanceDB Enterprise supports two ways for clients to authenticate against a db:// remote table:
  • API keys — a long-lived shared secret passed as api_key on connect. Works in every SDK.
  • OAuth 2.0 — short-lived bearer tokens obtained from your identity provider, refreshed automatically by the client.
OAuth is the recommended option when you want to rotate credentials centrally, plug into an existing identity provider, or run on Azure with managed identities so no secret material lives on the client.

API key

Pass the API key from your Enterprise tenant on connect. This works with both the synchronous and asynchronous Python clients, as well as TypeScript and Rust.
Python
import lancedb

db = lancedb.connect(
    uri="db://your-database-uri",
    api_key="your-api-key",
    region="us-east-1",
    host_override="https://your-enterprise-endpoint.com",
)

OAuth

The async Python client and the TypeScript client can obtain bearer tokens from an OIDC issuer and attach them to every request. Token acquisition, caching, and refresh are handled inside the client — your application code only provides the configuration.
In Python, OAuth is supported through lancedb.connect_async. The synchronous connect entry point continues to use API key authentication for db:// URIs. In TypeScript, lancedb.connect accepts oauthConfig directly.

Supported flows

OAuthFlowType selects how the client acquires tokens:
FlowPython valueTypeScript valueWhen to use
Client CredentialsOAuthFlowType.CLIENT_CREDENTIALSOAuthFlowType.ClientCredentialsService-to-service / machine-to-machine. Requires a client ID and client secret registered with your identity provider.
Azure Managed IdentityOAuthFlowType.AZURE_MANAGED_IDENTITYOAuthFlowType.AzureManagedIdentityWorkloads running on Azure compute (VMs, AKS, App Service, Container Apps). Tokens are fetched from the Azure IMDS endpoint, so no client secret is stored on the client.

Configure OAuth

Build an OAuth config and pass it on connect. Use oauth_config in Python and oauthConfig in TypeScript. 
import lancedb
from lancedb.remote import OAuthConfig, OAuthFlowType

# Client Credentials (service-to-service)
oauth_config = OAuthConfig(
    issuer_url="https://login.microsoftonline.com/{tenant}/v2.0",
    client_id="your-application-client-id",
    client_secret="your-application-client-secret",
    scopes=["api://lancedb-api/.default"],
    flow=OAuthFlowType.CLIENT_CREDENTIALS,
)

db = await lancedb.connect_async(
    uri="db://your-database-uri",
    region="us-east-1",
    host_override="https://your-enterprise-endpoint.com",
    oauth_config=oauth_config,
)
For workloads running on Azure compute, use a managed identity instead of a client secret: 
from lancedb.remote import OAuthConfig, OAuthFlowType

oauth_config = OAuthConfig(
    issuer_url="https://login.microsoftonline.com/{tenant}/v2.0",
    client_id="your-application-client-id",
    scopes=["api://lancedb-api/.default"],
    flow=OAuthFlowType.AZURE_MANAGED_IDENTITY,
    # Optional: required only for user-assigned managed identities.
    managed_identity_client_id="your-user-assigned-identity-client-id",
)

Configuration reference

The same configuration is available in both SDKs. Python uses snake_case field names; TypeScript uses camelCase.
Python field / TypeScript fieldRequiredDescription
issuer_url / issuerUrlYesOIDC issuer URL or OAuth authority URL. For Azure, use https://login.microsoftonline.com/{tenant_id}/v2.0.
client_id / clientIdYesApplication / client ID registered with your identity provider.
scopesYesList of OAuth scopes to request. For Azure managed identity, provide exactly one scope or resource, for example ["api://your-app-id/.default"].
flowNoSelects the OAuth flow. Defaults to Client Credentials.
client_secret / clientSecretConditionalRequired for Client Credentials. Redacted from the config’s repr (Python) and Debug output (TypeScript native binding) so it does not leak into logs.
managed_identity_client_id / managedIdentityClientIdNoClient ID of a user-assigned managed identity. Only used with Azure Managed Identity; omit for system-assigned identities.
refresh_buffer_secs / refreshBufferSecsNoHow many seconds before token expiry to proactively refresh. Defaults to 300. Keep this well below the token TTL — setting it greater than or equal to the TTL forces a refresh on every request.
Treat the client secret like any other production credential. Load it from a secret manager or environment variable rather than committing it to source control. Both SDKs deliberately omit the secret from their debug/repr output so accidental log lines do not expose the value.