Authenticate for Platform Operations

Generate OAuth credentials

The primary method used to authenticate for Platform Operations is OAuth2. Specifically, you need to generate a machine-to-machine OAuth client - these are available at two levels in Qlik Cloud, depending on your subscription.

Note: This section relates to the use of machine-to-machine OAuth to support Platform Operations. For a general overview of OAuth, refer to the OAuth2 Overview.

Tenant provisioning is handled by My Qlik, the subscription management portal for Qlik Cloud. If you are entitled to a single tenant, then you will use this portal to create your tenant interactively, before logging into that tenant to create an OAuth client to continue with this tutorial series. If you are entitled to multiple tenants, then the portal will be used to procure region level OAuth clients for your entitlement.

If you are planning to deploy multiple tenants and you haven’t used these features before, please reach out to your Qlik account manager as it’s likely that you will need changes made to your Qlik entitlement before you begin.

Tenant and region level OAuth clients

Within a Qlik Cloud tenant, it is possible to generate API keys on a per-user level or OAuth clients on a per-tenant level to provide credentials for use with Qlik APIs. OAuth clients generated at this level will be referred to as a tenant-level OAuth client. These are the most common types of OAuth client in Qlik Cloud and are used for the various embedding and integration use cases.

To simplify user and credential management when you’re managing more than one tenant, Qlik provides the ability for the Service Account Owner (SAO) of a subscription to set up regional OAuth clients in the My Qlik portal, which will be referred to as a region level OAuth client.

Example of a 15 tenant deployment across three Qlik Cloud regions, with each region accessible via a region-level OAuth client

Each region level OAuth client provides full access to all Qlik Cloud tenants deployed to that region, without requiring additional credentials or OAuth clients. To achieve the same thing with tenant level OAuth clients, you would need to first manually create a new machine-to-machine client on each tenant, and handle dynamically switching between these credentials in your orchestration code or tooling.

When to use each type of OAuth client

If you are deploying tenants on a single Qlik subscription and have a multitenant entitlement, you will have access to the region level OAuth clients, and should use these to simplify management.

If you have one or more Qlik subscriptions which do not have a multitenant entitlement then you will need to generate tenant level OAuth clients.

What happens when an OAuth client is created

The first time an OAuth client is used for a request to a tenant, a corresponding non-interactive bot user is automatically created on the tenant, which acts with privileges equivalent to the TenantAdmin role on a tenant (the highest level of access available). A bot user can be assigned roles in the same way as any other user on a tenant to provide additional capabilities.

Actions performed by the bot user will be captured in the audit logs for the tenant. Any content deployed using the OAuth client will be owned by the bot user that corresponds to that OAuth client.

For tenant level bot users, the username of the bot will match the name entered for the OAuth client when it was set up. Each bot will consume 1 professional license per tenant.

For region level bot users, the username of the bot will match <region> OAuth client where <region> is one of AP, DE, EU, SG, UK, or US. Each bot will consume 1 professional license per region, irrespective of the number of tenants deployed in that region.

Qlik Cloud regions and their associated AWS region names are listed below.

Qlik Cloud RegionInternal Region CodeExternal Region Code
Americas (USA)usus-east-1
Europe 1 (Ireland)eueu-west-1
Europe 2 (UK)ukeu-west-2
Europe 3 (Germany)deeu-central-1
Asia-Pacific 1 (Singapore)sgap-southeast-1
Asia-Pacific 2 (Australia)apap-southeast-2

How to create a tenant level OAuth client

To learn how to create a tenant level OAuth client, first ensure the tenant has been created and sign in to it with a user assigned with a TenantAdmin role.

Then review the create a new OAuth client guide.

How to create a region level OAuth client

Generate OAuth clients by selecting the subscription in My Qlik with the multiple tenants entitlement.

1 Sign in to My Qlik

Sign in to My Qlik and identify the subscription with the multiple tenants entitlement added to it.

2 Manage OAuth clients

Click the ellipsis (...) on the right side of the subscription entry and select Manage OAuth clients.

Screenshot of a subscription with multitenant entitlement

3 Select the region

Select the region that the OAuth credential is going to support. The system returns a client ID and client secret.

Screenshot of the interface to manage active OAuth clients

Client IDs and corresponding secrets are unique to the region and can’t be used in different regions. Record the client id and the client secret and keep them safe and secure because the client secret is not visible after generation.

Note: Recreating region level OAuth clients

The My Qlik portal provides the ability to create up to one OAuth client per Qlik Cloud region, and allows you to refresh the client secret for existing OAuth clients if required.

If you decide to delete an OAuth client via the portal, the associated bot user account will not be deleted from tenants automatically. Subsequently creating a new OAuth client in that region will result in a new, additional bot user being created when this new OAuth client is used on a tenant.

You will need to ensure that any content owned by an inactive bot user is deleted or reassigned to the active bot user account using APIs or the tenant management console.

Next steps

To begin the provisioning workflow and start spinning up tenants with code, go to Create a tenant.

If you prefer a no-code workflow, begin your journey with the Platform Operations connector.

Was this page helpful?