OAuth Token
This endpoint uses the Dremio OAuth authorization server base URL.
After a valid request, Dremio returns an OAuth access token in a JSON object, along with the token lifetime and other metadata.
OAuth Token Object{
"access_token": "eyJz93a...k4laUWw",
"expires_in": 3599,
"token_type": "Bearer",
"issued_token_type": "urn:ietf:params:oauth:token-type:access_token",
"scope": "dremio.all"
}
Object Attributes
access_token String
The returned access token. A client application passes this token when connecting to Dremio.
Example: eyJz93a...k4laUWw
expires_in Integer
The access token lifetime in seconds. The default lifetime is 3600 seconds (1 hour).
Example: 3599
token_type String
Bearer for all access tokens.
issued_token_type String
urn:ietf:params:oauth:token-type:access_token for access tokens.
scope String
The scope of the request. For a token exchange, the scope is dremio.all.
Exchange an External JWT
Clients who authenticate with an OIDC external token provider can exchange their JWT for an OAuth access token that can be used to create connections to Dremio.
Method and URLPOST https://login.dremio.cloud/oauth/token
Parameters
subject_token Body String
The external JWT obtained from an OIDC provider such as Microsoft Entra ID.
Example: eyJ0eXAiOiJKV1QiLCJhbGciOiJSUz...DYynR2lK6xB8xrAprgPA
subject_token_type Body String
The type of subject token used. For an external JWT, the subject_token_type is urn:ietf:params:oauth:token-type:jwt.
grant_type Body String
The grant type being requested. For a token exchange, the grant_type is urn:ietf:params:oauth:grant-type:token-exchange.
scope Body String
The scope of the request. For a token exchange, the scope is dremio.all.
Examples
- cURL
- Python
curl -X POST 'https://login.dremio.cloud/oauth/token' \
-H 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'subject_token=eyJ0eXAiOiJKV1QiLCJhbGciOiJSUz...DYynR2lK6xB8xrAprgPA' \
--data-urlencode 'subject_token_type=urn:ietf:params:oauth:token-type:jwt' \
--data-urlencode 'grant_type=urn:ietf:params:oauth:grant-type:token-exchange' \
--data-urlencode 'scope=dremio.all'
{
"access_token": "eyJz93a...k4laUWw",
"expires_in": 3599,
"token_type": "Bearer",
"issued_token_type": "urn:ietf:params:oauth:token-type:access_token",
"scope": "dremio.all"
}
import requests
form_data = {
"subject_token": "eyJ0eXAiOiJKV1QiLCJhbGciOiJSUz...DYynR2lK6xB8xrAprgPA",
"subject_token_type": "urn:ietf:params:oauth:token-type:jwt",
"grant_type": "urn:ietf:params:oauth:grant-type:token-exchange",
"scope": "dremio.all"
}
request_header = {"Content-Type": "application/x-www-form-urlencoded"}
token_exchange_response = requests.post(
"https://login.dremio.cloud/oauth/token", headers=request_header, data=form_data)
if token_exchange_response.status_code == 200:
token_exchange_response_json = token_exchange_response.json()
dremio_access_token = token_exchange_response_json["access_token"]
dremio_access_token_expires_in_sec = token_exchange_response_json["expires_in"]
else:
print("Error: " + str(token_exchange_response.status_code))
The lifetime of this token is the time remaining on the external JWT, up to a maximum of one hour.
Response Status Codes
200 OK
400 Bad Request
401 Unauthorized
403 Forbidden
500 Internal Server Error
Exchange a PAT
Exchanging a Personal Access Token (PAT) for an OAuth access token provides the security benefit of a shorter token lifetime while allowing a client application to access protected resources with a more controlled access mechanism. OAuth access tokens also perform better due to faster validation times than PATs.
Method and URLPOST https://login.dremio.cloud/oauth/token
Parameters
subject_token Body String
The Personal Access Token to be exchanged.
Example: wPTsz2YrTVWQ7fw436Ec...911rJzUm6Xs1XrvU+w==
subject_token_type Body String
The type of subject token used. For a PAT, the subject_token_type is urn:ietf:params:oauth:token-type:dremio:personal-access-token.
grant_type Body String
The grant type being requested. For a token exchange, the grant_type is urn:ietf:params:oauth:grant-type:token-exchange.
scope Body String
The scope of the request. For a token exchange, the scope is dremio.all.
Examples
- cURL
- Python
curl -X POST 'https://login.dremio.cloud/oauth/token' \
-H 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'subject_token=wPTsz2YrTVWQ7fw436Ec7Vs16TAWeRyojniYNXED1THt911rJzUm6Xs1XrvU+w==' \
--data-urlencode 'subject_token_type=urn:ietf:params:oauth:token-type:dremio:personal-access-token' \
--data-urlencode 'grant_type=urn:ietf:params:oauth:grant-type:token-exchange' \
--data-urlencode 'scope=dremio.all'
{
"access_token": "eyJz93a...k4laUWw",
"expires_in": 3599,
"token_type": "Bearer",
"issued_token_type": "urn:ietf:params:oauth:token-type:access_token",
"scope": "dremio.all"
}
import requests
form_data = {
"subject_token": "wPTsz2YrTVWQ7fw436Ec...911rJzUm6Xs1XrvU+w==",
"subject_token_type": "urn:ietf:params:oauth:token-type:dremio:personal-access-token",
"grant_type": "urn:ietf:params:oauth:grant-type:token-exchange",
"scope": "dremio.all"
}
request_header = {"Content-Type": "application/x-www-form-urlencoded"}
token_exchange_response = requests.post(
"https://login.dremio.cloud/oauth/token", headers=request_header, data=form_data)
if token_exchange_response.status_code == 200:
token_exchange_response_json = token_exchange_response.json()
dremio_access_token = token_exchange_response_json["access_token"]
dremio_access_token_expires_in_sec = token_exchange_response_json["expires_in"]
else:
print("Error: " + str(token_exchange_response.status_code))
The lifetime of this token is the remaining lifetime of the PAT used in the exchange, up to a maximum of one hour.
Response Status Codes
200 OK
400 Bad Request
401 Unauthorized
403 Forbidden
500 Internal Server Error