> For clean Markdown of any page, append .md to the page URL. > For a complete documentation index, see https://docs.nvidia.com/nemo-platform/llms.txt. > For AI client integration (Claude Code, Cursor, etc.), connect to the MCP server at https://docs.nvidia.com/nemo-platform/_mcp/server. # Authentication NeMo Platform authenticates requests using **OpenID Connect (OIDC)**. You register an OAuth application in your identity provider, configure NeMo Platform with the issuer and client ID, and users sign in via the CLI, SDK, or browser. NeMo Platform validates the JWT on every request and extracts the user's identity for authorization. For the quickstart (no IdP), see the [email-based shortcut](/documentation/access-control/overview). For the authorization model, see [Authorization Concepts](/documentation/access-control/concepts). ## Connect Your Identity Provider Start here — register an OAuth application in your IdP and configure NeMo Platform: * [OIDC Setup](/documentation/access-control/authentication/oidc-setup) — Step-by-step: register an app, configure NeMo Platform, verify login. * [Azure AD (Entra ID)](/documentation/access-control/authentication/providers/azure-ad-entra-id) — Azure-specific walkthrough (app registration, scopes, claim mapping). * [Generic OIDC Provider](/documentation/access-control/authentication/providers/generic-oidc) — Checklist for any OIDC-compliant IdP. ## Log In and Make API Calls Once your IdP is connected, see [Using Authentication](/documentation/access-control/authentication/using-authentication) for the full walkthrough: device flow login, SDK and curl examples, token management, and config file reference. | Method | Command / Action | Best For | | ------------------------- | ----------------------------------------------------- | -------------------------------------------------------- | | **Device flow** (browser) | `nemo auth login` | Interactive use — opens browser to sign in with your IdP | | **Password grant** | `nemo auth login --username --password ` | CI/CD pipelines — non-interactive | | **Direct from IdP** | Use your IdP's token endpoint or workload identity | Custom integrations, service accounts | The CLI stores the token and auto-refreshes it before expiry. The SDK reads the stored token from the CLI config automatically — after `nemo auth login`, `NeMoPlatform()` works with no arguments. ## Discovery Endpoint NeMo Platform exposes an unauthenticated endpoint that clients and the SDK use to discover OIDC settings: ```text GET {BASE_URL}/apis/auth/discovery ``` Response: ```json { "auth_enabled": true, "oidc": { "issuer": "https://login.microsoftonline.com/{tenant}/v2.0", "token_endpoint": "https://login.microsoftonline.com/{tenant}/oauth2/v2.0/token", "device_authorization_endpoint": "https://login.microsoftonline.com/{tenant}/oauth2/v2.0/devicecode", "client_id": "...", "default_scopes": "platform:read platform:write openid profile email offline_access", "scope_prefix": "api://nmp/" } } ``` The CLI and SDK call this endpoint automatically during `nemo auth login` or when initializing the client. ## Related * [Using Authentication](/documentation/access-control/authentication/using-authentication) — Log in, make API calls, and manage tokens. * [Security Model](/documentation/access-control/security-model) — Trust boundaries and the principal model.