Authentication

NeMo Platform authenticates requests using OpenID Connect (OIDC). You register an OAuth application in your identity provider, configure NeMo Platform with the issuer and client ID, and users sign in via the CLI, SDK, or browser. NeMo Platform validates the JWT on every request and extracts the user’s identity for authorization.

For the quickstart (no IdP), see the email-based shortcut. For the authorization model, see Authorization Concepts.

Connect Your Identity Provider

Start here — register an OAuth application in your IdP and configure NeMo Platform:

OIDC Setup — Step-by-step: register an app, configure NeMo Platform, verify login.
Azure AD (Entra ID) — Azure-specific walkthrough (app registration, scopes, claim mapping).
Generic OIDC Provider — Checklist for any OIDC-compliant IdP.

Log In and Make API Calls

Once your IdP is connected, see Using Authentication for the full walkthrough: device flow login, SDK and curl examples, token management, and config file reference.

Method	Command / Action	Best For
Device flow (browser)	`nemo auth login`	Interactive use — opens browser to sign in with your IdP
Password grant	`nemo auth login --username <user> --password <pass>`	CI/CD pipelines — non-interactive
Direct from IdP	Use your IdP’s token endpoint or workload identity	Custom integrations, service accounts

The CLI stores the token and auto-refreshes it before expiry. The SDK reads the stored token from the CLI config automatically — after nemo auth login, NeMoPlatform() works with no arguments.

Discovery Endpoint

NeMo Platform exposes an unauthenticated endpoint that clients and the SDK use to discover OIDC settings:

GET {BASE_URL}/apis/auth/discovery

Response:

1 {
2   "auth_enabled": true,
3   "oidc": {
4     "issuer": "https://login.microsoftonline.com/{tenant}/v2.0",
5     "token_endpoint": "https://login.microsoftonline.com/{tenant}/oauth2/v2.0/token",
6     "device_authorization_endpoint": "https://login.microsoftonline.com/{tenant}/oauth2/v2.0/devicecode",
7     "client_id": "...",
8     "default_scopes": "platform:read platform:write openid profile email offline_access",
9     "scope_prefix": "api://nmp/"
10   }
11 }

The CLI and SDK call this endpoint automatically during nemo auth login or when initializing the client.

Using Authentication — Log in, make API calls, and manage tokens.
Security Model — Trust boundaries and the principal model.

Connect Your Identity Provider

Log In and Make API Calls

Discovery Endpoint

Related