Skip to main content
LanceDB Enterprise supports two ways for clients to authenticate against a db:// remote table:
  • API keys — a long-lived shared secret passed as api_key on connect. Works in every SDK.
  • OAuth 2.0 — short-lived bearer tokens obtained from your identity provider, refreshed automatically by the client.
OAuth is the recommended option when you want to rotate credentials centrally, plug into an existing identity provider, or run on Azure with managed identities so no secret material lives on the client.

API key

Pass the API key from your Enterprise tenant on connect. This works with both the synchronous and asynchronous Python clients, as well as TypeScript and Rust.
Python

OAuth

The async Python client and the TypeScript client can obtain bearer tokens from an OIDC issuer and attach them to every request. Token acquisition, caching, and refresh are handled inside the client — your application code only provides the configuration.
In Python, OAuth is supported through lancedb.connect_async. The synchronous connect entry point continues to use API key authentication for db:// URIs. In TypeScript, lancedb.connect accepts oauthConfig directly.

Supported flows

OAuthFlowType selects how the client acquires tokens:

Configure OAuth

Build an OAuth config and pass it on connect. Use oauth_config in Python and oauthConfig in TypeScript.
For workloads running on Azure compute, use a managed identity instead of a client secret:

Configuration reference

The same configuration is available in both SDKs. Python uses snake_case field names; TypeScript uses camelCase.
Treat the client secret like any other production credential. Load it from a secret manager or environment variable rather than committing it to source control. Both SDKs deliberately omit the secret from their debug/repr output so accidental log lines do not expose the value.