Authenticate for Platform Operations
Generate OAuth credentials
The primary method used to authenticate for Platform Operations is OAuth2. Specifically, you need to generate a machine-to-machine OAuth client - these are available at two levels in Qlik Cloud, depending on your subscription.
Note: This section relates to the use of machine-to-machine OAuth to support Platform Operations. For a general overview of OAuth, refer to the OAuth2 Overview.
Tenant provisioning is handled by My Qlik, the subscription management portal for Qlik Cloud. If you are entitled to a single tenant, then you will use this portal to create your tenant interactively, before logging into that tenant to create an OAuth client to continue with this tutorial series. If you are entitled to multiple tenants, then the portal will be used to procure region level OAuth clients for your entitlement.
If you are planning to deploy multiple tenants and you haven’t used these features before, please reach out to your Qlik account manager as it’s likely that you will need changes made to your Qlik entitlement before you begin.
Tenant and region level OAuth clients
Within a Qlik Cloud tenant, it is possible to generate API keys on a per-user level or OAuth clients on a per-tenant level to provide credentials for use with Qlik APIs. OAuth clients generated at this level will be referred to as a tenant-level OAuth client. These are the most common types of OAuth client in Qlik Cloud and are used for the various embedding and integration use cases.
To simplify user and credential management when you’re managing more than one tenant, Qlik provides the ability for the Service Account Owner (SAO) of a subscription to set up regional OAuth clients in the My Qlik portal, which will be referred to as a region level OAuth client.
Each region level OAuth client provides full access to all Qlik Cloud tenants deployed to that region, without requiring additional credentials or OAuth clients. To achieve the same thing with tenant level OAuth clients, you would need to first manually create a new machine-to-machine client on each tenant, and handle dynamically switching between these credentials in your orchestration code or tooling.
When to use each type of OAuth client
If you are deploying tenants on a single Qlik subscription and have a multitenant entitlement, you will have access to the region level OAuth clients, and should use these to simplify management.
If you have one or more Qlik subscriptions which do not have a multitenant entitlement then you will need to generate tenant level OAuth clients.
What happens when an OAuth client is created
The first time an OAuth client is used for a request to a tenant, a corresponding
non-interactive bot user is automatically created on the tenant, which
acts with privileges equivalent to the
TenantAdmin role on a tenant (the highest level of access available). A
bot user can be assigned roles in the same way as any other user on a tenant to
provide additional capabilities.
Actions performed by the bot user will be captured in the audit logs for the
tenant. Any content deployed using the OAuth client will be owned by the bot user
that corresponds to that OAuth client.
For tenant level bot users, the username of the bot will match the name entered
for the OAuth client when it was set up. Each bot will consume 1 professional license
per tenant.
For region level bot users, the username of the bot will match <region> OAuth client
where <region> is one of AP, DE, EU, SG, UK, or US. Each bot will
consume 1 professional license per region, irrespective of the number of tenants
deployed in that region.
Qlik Cloud regions and their associated AWS region names are listed below.
| Qlik Cloud Region | Internal Region Code | External Region Code |
|---|---|---|
| Americas (USA) | us | us-east-1 |
| Europe 1 (Ireland) | eu | eu-west-1 |
| Europe 2 (UK) | uk | eu-west-2 |
| Europe 3 (Germany) | de | eu-central-1 |
| Asia-Pacific 1 (Singapore) | sg | ap-southeast-1 |
| Asia-Pacific 2 (Australia) | ap | ap-southeast-2 |
| Asia-Pacific 3 (Japan) | jp | ap-northeast-1 |
How to create a tenant level OAuth client
To learn how to create a tenant level OAuth client, first ensure the tenant has been created and sign in to it with a user assigned with a TenantAdmin role.
Then review the create a new OAuth client guide.
How to create a region level OAuth client
Generate OAuth clients by selecting the subscription in My Qlik with the multiple tenants entitlement.
1 Sign in to My Qlik
Sign in to My Qlik and identify the subscription with the multiple tenants entitlement added to it.
2 Manage OAuth clients
Click the ellipsis (...) on the right side of the subscription entry and select
Manage OAuth clients.
3 Select the region
Select the region that the OAuth credential is going to support. The system returns a client ID and client secret.
Client IDs and corresponding secrets are unique to the region and can’t be used in different regions. Record the client id and the client secret and keep them safe and secure because the client secret is not visible after generation.
Note: Recreating region level OAuth clients
The My Qlik portal provides the ability to create up to one OAuth client per Qlik
Cloud region, and allows you to refresh the client secret for existing OAuth clients
if required.
If you decide to delete an OAuth client via the portal, the associated
bot user account will not be deleted from tenants automatically. Subsequently
creating a new OAuth client in that region will result in a new, additional
bot user being created when this new OAuth client is used on a tenant.
You will need to ensure that any content owned by an inactive bot user is
deleted or reassigned to the active bot user account using
APIs or the tenant management console.
Next steps
To begin the provisioning workflow and start spinning up tenants with code, go to Create a tenant.
If you prefer a no-code workflow, begin your journey with the Platform Operations connector.