Authorization

The NeMo Microservices Platform includes a comprehensive authorization system that controls who can access which resources and what actions they can perform. This enables secure multi-user deployments where teams can collaborate on AI projects while maintaining proper access controls.

Key Features

• Workspace-based Access Control: All resources are organized into workspaces, which serve as the primary authorization boundary.

• Role-Based Permissions: Grant predefined roles (Viewer, Editor, Admin) to users within workspaces.

• Flexible Sharing: Share workspaces with specific users or make them publicly accessible for read-only collaboration.

• API Scopes: Create fine-grained, token-level controls for API access.

Getting Started

Step 1: Enable Authorization

When running NeMo Microservices with Quickstart, enable authorization during configuration:

$ nmp quickstart configure

NMP Quickstart Configuration
...
Step 3 of 3: Save Config
Save configuration?
  1. Save configuration
> 2. Configure advanced options - authentication, ports, registry

• Platform Authorization
Enable auth to require authentication for API requests.
When enabled, you can set an admin email to bootstrap access.

Enable authentication/authorization?
  1. No - Allow all requests without authentication
> 2. Yes - Require authentication for API access

✓ Authorization enabled

Admin email (grants PlatformAdmin role): admin@example.com
✓ Admin: admin@example.com

ℹ  All CLI requests will be authenticated as admin@example.com.
   To use a different identity: nmp config set --api-key <email>
...
✓ Configuration saved successfully!

The admin email you provide will be granted the PlatformAdmin role, giving full access to all platform operations.

Note

Automatic CLI Configuration

When you enable authorization during nmp quickstart configure, the CLI is automatically configured to authenticate as the platform admin using the email you provided. All subsequent CLI commands (including nmp quickstart up) will be authenticated as this admin—you’ll see a reminder message when the cluster starts:

ℹ  Authentication enabled: All CLI requests will be authenticated as admin@example.com (platform admin).
    To use a different identity, run: nmp config set --api-key <email>

Step 2: Make Authenticated Calls

Once authorization is enabled, all API requests must be authenticated. The CLI is already configured after Step 1. For the Python SDK, pass the token in the default_headers when creating the client.

CLI

# CLI is already configured after quickstart configure
# All commands are authenticated as the admin
nmp workspaces list

# To use a different identity:
nmp config set --api-key other-user@example.com

Python SDK

from nemo_microservices import NeMoMicroservices

client = NeMoMicroservices(
    base_url="http://localhost:8080",
    default_headers={
        "Authorization": f"Bearer {TOKEN}"
    }
)

# Make authenticated API calls
workspaces = client.workspaces.list()
print(f"Found {len(workspaces.data)} workspaces")

Note

Quickstart Mode

In quickstart/development mode, you can authenticate by setting the X-NMP-Principal-Id header directly to your email address instead of using a Bearer token:

client = NeMoMicroservices(
    base_url="http://localhost:8080",
    default_headers={
        "X-NMP-Principal-Id": "admin@example.com"
    }
)

Next Steps

• Authorization Concepts: Learn about the authorization model, roles, permissions, and how access control works.

• Managing Access: Add users to workspaces, assign roles, and manage permissions for your team.