Authentication and Authorization#

NMP includes a built-in security layer that lets you control who can access your platform and what they can do. When multiple teams or users share an NMP deployment, authentication and authorization ensure that each user sees only the workspaces and resources they are permitted to access, and can only perform actions appropriate to their role.

Access control has two layers:

  • Authentication — Prove your identity. NMP validates a JWT issued by your OpenID Connect (OIDC) identity provider.

  • Authorization — Control what you can do. Workspace-scoped RBAC with roles (Viewer, Editor, Admin) and optional API scopes on tokens.

Both layers are opt-in. When auth.enabled is false (the default), all requests are allowed without checks. This lets you get started quickly and add security when you are ready for multi-user or production deployments.

How Authentication Works#

NMP authenticates every request using a JWT from your OIDC identity provider. The token is sent in the Authorization: Bearer <token> header, and NMP validates the signature, issuer, audience, and expiry. Refer to OIDC Setup to connect your identity provider.

How you obtain the token depends on your context:

  • CLI — Run nmp auth login to authenticate using the browser-based device flow. The CLI stores and auto-refreshes the token. Refer to Using Authentication.

  • SDK — After nmp auth login, the Python SDK automatically reads stored tokens from the CLI config and refreshes them transparently. Refer to Using Authentication.

  • HTTP — For raw HTTP calls, fetch a token from your IdP (or from the CLI using nmp auth token) and pass it in the Authorization: Bearer <token> header.

  • Studio — When auth is enabled, Studio automatically redirects you to your IdP to sign in and uses the resulting token for all API calls.

Tip

Quickstart shortcut — When running NMP quickstart without an OIDC provider, you can use an unsigned JWT:

nmp auth login --unsigned-token --email <email>

Quickstart-generated unsigned tokens expire after 24 hours.

Unsigned JWT login only works for quickstart and must not be used in production. See Getting Started below.

Getting Started#

Quickstart / Development#

Step 1: Enable Authorization#

Run nmp quickstart configure and select Configure advanced optionsYes for authentication. Provide an admin email — it receives the PlatformAdmin role with full platform access.

$ nmp quickstart configure
# Select: Configure advanced options → Enable authentication → Yes
# Enter admin email: admin@example.com
Full quickstart configure output
NMP Quickstart Configuration
...
Step 3 of 3: Save Config
Save configuration?
  1. Save configuration
> 2. Configure advanced options - authentication, ports, registry

• Platform Authorization
Enable auth to require authentication for API requests.
When enabled, you can set an admin email to bootstrap access.

Enable authentication/authorization?
  1. No - Allow all requests without authentication
> 2. Yes - Require authentication for API access

✓ Authorization enabled

Admin email (grants PlatformAdmin role): admin@example.com
✓ Admin: admin@example.com

ℹ  All CLI requests will be authenticated as admin@example.com.
   To use a different identity: nmp auth login --unsigned-token --email <email>
...
✓ Configuration saved successfully!

The CLI is automatically configured to authenticate as the admin email for all subsequent commands (including nmp quickstart up). To switch identity, run:

nmp auth login --unsigned-token --email <email>.

Step 2: Make Authenticated Calls#

After authorization is enabled, all API requests must include an identity. The CLI and SDK are already configured after Step 1 — they read the admin email from the CLI config automatically.

# CLI is already configured after quickstart configure
# All commands are authenticated as the admin
nmp workspaces list

# To use a different identity:
nmp auth login --unsigned-token --email other-user@example.com

from nemo_platform import NeMoPlatform

# No arguments needed — the SDK reads base_url, workspace, and credentials
# from the active CLI context (set by `nmp auth login` or `nmp quickstart configure`).
# See: Initializing the CLI and SDK in the quickstart for other init options.
client = NeMoPlatform()

workspaces = client.workspaces.list()
print(f"Found {len(workspaces.data)} workspaces")

Production / Helm Deployment#

For production or Helm-based deployments, enable auth by setting platformConfig.auth.enabled: true in your Helm values and configure the auth: section in platform config. Refer to Auth Configuration for the full reference and OIDC Setup to connect your identity provider.

Where to Go Next#

Security Model

Understand how NMP authentication and authorization work together — trust boundaries, principal model, and authorization layers.

Security Model
Connect an Identity Provider

Configure NMP to authenticate users using your OIDC identity provider.

OIDC Setup
Manage Workspace Access

Add users to workspaces, assign roles, and control who can access your resources.

Managing Access
Configuration Reference

Full configuration reference — enabling auth, PDP provider, OIDC settings, environment variables.

Configuration Reference
Harden for Production

Security checklist for production deployments — OIDC, gateway headers, scoped tokens, TLS.

Production Hardening
Troubleshooting

Fix common auth issues — 401/403 errors, login failures, role propagation delays.

Troubleshooting