How Atlan connects to Cyera

Atlan connects to Cyera's cloud API to extract data classification metadata, including classifications, sensitivity context, security issue findings, and identity access metadata, while maintaining security and compliance. Cyera uses a fixed API endpoint (api.cyera.io) and JWT-based authentication via Client ID and Client Secret.

Connect to Cyera

The Cyera workflow supports two connectivity modes. Direct mode establishes a direct HTTPS connection from the Atlan SaaS tenant to the Cyera API using credentials you generate in Cyera. Self-Deployed Runtime (SDR) mode lets the runtime in your environment hold the credential and push metadata to Atlan. See Self-Deployed Runtime for setup requirements.

The sequence below shows the direct connectivity flow.

• Atlan authenticates using short-lived JWT tokens obtained via the /v1/login endpoint with Client ID and Client Secret.
• Atlan queries four Cyera API surfaces:
  • /v2/datastores: datastore inventory for mapping in the workflow UI.
  • /v1/tables/stream: table and column classifications, streamed as NDJSON.
  • /v3/issues: security issue findings, aggregated at the database level.
  • /v1/datastores/{uid}/identities: identity access metadata, aggregated at the database level.
• You can browse and select Cyera Datastores from a dropdown list in the workflow configuration, populated by querying the Cyera datastores endpoint.

For details on how direct connectivity works, see Direct connectivity.

Security

Atlan extracts only classification metadata: data class names, sensitivity levels, tokenization status, and security issue summaries. For example, if Cyera has classified a CUSTOMERS table as containing PII, Atlan discovers the classification and sensitivity information, but never accesses or stores the customer records themselves.

• Read-only operations: All Cyera API calls are read-only. The connector can't modify classifications, create or delete policies, or change any Cyera configuration. The permissions granted to the API token control exactly what the connector can access.

• Credential encryption: Cyera Client ID and Client Secret values are encrypted at rest and in transit. Atlan encrypts credentials before storage and uses them only to obtain short-lived JWT tokens for API calls.

• Fixed API endpoint: Cyera exposes a single cloud API endpoint (api.cyera.io). Atlan connects only to this endpoint. No direct access to your underlying data stores occurs during the crawl.

See also

• Direct connectivity: How Atlan connects directly to data sources
• Set up Cyera: Create an API token and obtain credentials
• Crawl Cyera: Configure and run the crawler