Authentication
Self-Deployed Runtime applications use OAuth 2.0 client credentials flow for communicating with the Atlan SaaS deployment.
Each deployed application uses an independent Client ID and Client Secret combination. The Client ID and Secret is used to generate short-lived tokens which are used for Self-Deployed Runtime to Atlan SaaS interactions.
How authentication works
The authentication process follows a continuous token refresh cycle:
- Application uses Client ID and Client Secret to request a JWT token from Atlan tenant's authentication service
- The JWT token is valid for 15 minutes and is used for all Atlan service communications
- Before token expiration, application requests a new token automatically and uses it for further interactions.
Without a valid token, application can't communicate with the Atlan SaaS deployment
What tokens enable
The authentication system provides these capabilities:
- Uses OAuth 2.0 client credentials flow per OAuth 2.0 Security - RFC 9700
- Client credentials can be rotated on-demand
- Application registration with Atlan SaaS tenant
- Connecting to Atlan's hosted Temporal orchestrator service
- Transferring application outcome (for example metadata) to Atlan
See also
- Secret management: How OAuth 2.0 credentials are stored and retrieved from enterprise secret stores.
- Security: Overall security architecture including network isolation and container hardening.