Authentication#

NMP authenticates requests using OpenID Connect (OIDC). You register an OAuth application in your identity provider, configure NMP with the issuer and client ID, and users sign in via the CLI, SDK, or browser. NMP validates the JWT on every request and extracts the user’s identity for authorization.

For the quickstart (no IdP), see the email-based shortcut. For the authorization model, see Authorization Concepts.

Connect Your Identity Provider#

Start here — register an OAuth application in your IdP and configure NMP:

Log In and Make API Calls#

Once your IdP is connected, see Using Authentication for the full walkthrough: device flow login, SDK and curl examples, token management, and config file reference.

Method

Command / Action

Best For

Device flow (browser)

nmp auth login

Interactive use — opens browser to sign in with your IdP

Password grant

nmp auth login --username <user> --password <pass>

CI/CD pipelines — non-interactive

Direct from IdP

Use your IdP’s token endpoint or workload identity

Custom integrations, service accounts

The CLI stores the token and auto-refreshes it before expiry. The SDK reads the stored token from the CLI config automatically — after nmp auth login, NeMoPlatform() works with no arguments.

Discovery Endpoint#

NMP exposes an unauthenticated endpoint that clients and the SDK use to discover OIDC settings:

GET {BASE_URL}/apis/auth/discovery

Response:

{
  "auth_enabled": true,
  "oidc": {
    "issuer": "https://login.microsoftonline.com/{tenant}/v2.0",
    "token_endpoint": "https://login.microsoftonline.com/{tenant}/oauth2/v2.0/token",
    "device_authorization_endpoint": "https://login.microsoftonline.com/{tenant}/oauth2/v2.0/devicecode",
    "client_id": "...",
    "default_scopes": "platform:read platform:write openid profile email offline_access",
    "scope_prefix": "api://nmp/"
  }
}

The CLI and SDK call this endpoint automatically during nmp auth login or when initializing the client.