> ## Documentation Index
> Fetch the complete documentation index at: https://docs.cognite.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Authenticate with Entra ID

> Learn how to authenticate the Python SDK with Entra ID using user credentials, interactive login, device code, or client secrets.

You can authenticate the Python SDK with Entra ID by **using a token** retrieved when a [user authenticates](#authenticate-with-user-credentials) or with a static [client secret](#authenticate-with-client-secret) for long-running jobs like extractors.

## Prerequisites

* Make sure the CDF project is configured for authentication with Entra ID:

  * [Register the Cognite API and the CDF portal application](/cdf/access/entra/guides/configure_cdf_azure_oidc) in Entra ID.
  * [Set up Entra ID and CDF groups](/cdf/access/entra/guides/create_groups_oidc) to control access to CDF data.
  * [Register and configure the relevant applications and components](/cdf/access/entra/guides/configure_apps_oidc) in Entra ID.

* In all code samples below, you need to specify:

  * `<Tenant ID>` - the ID of the Entra ID tenant where the user is registered.
  * `<Client ID>` - the ID of the application in Entra ID.
  * `<Cluster>` - the cluster where your CDF project is installed. For example, `api` and `westeurope-1`.
  * `<CDF project>` - the name of the CDF project.

    <Frame>
      <img src="https://apps-cdn.cogniteapp.com/@cognite/docs-portal-images/1.0.0/images/cdf/dev/guides/sdk/tenant-and-client-id.png" alt="Entra ID showing Client ID and Tenant ID locations" width="750px" />
    </Frame>

If you don't know which values to use for these variables, contact your CDF administrator or [Cognite Support](https://cognite.zendesk.com/hc/en-us/requests/new).

## Authenticate with user credentials

You can authenticate the Python SDK with Entra ID by **using a token** retrieved with user credentials.
To find the examples, see [Credential Providers](https://cognite-sdk-python.readthedocs-hosted.com/en/latest/credential_providers.html#credential-providers).

* You can get the token by letting the user sign in interactively via **a browser** and use the [authenticate with interactive login and token refresh](#authenticate-with-interactive-login-and-token-refresh) flow to access CDF when you're running short-term scripts or using Jupyter.

* If a browser isn't available, for example, if you are logged into a terminal, you can use the [authenticate with user credentials and device code](#authenticate-with-user-credentials-and-device-code) flow.

### Authenticate with interactive login and token refresh

Use this flow to authenticate with user credentials by redirecting to an authentication page in the browser.

You need to provide an `OAuthInteractive` credential provider to the `CogniteClient`. The token is served from an in-memory cache but refreshed if needed (without requiring a user sign in or device code for the refresh).

<Note>
  To use this flow with the code sample below, make sure the app is registered in Entra ID as the type **Mobile and desktop applications** with `http://localhost:53000` as the **Redirect URI**.
</Note>

You can find the code sample [here](https://cognite-sdk-python.readthedocs-hosted.com/en/latest/credential_providers.html#cognite.client.credentials.OAuthInteractive).

### Authenticate with user credentials and device code

If a browser isn't available, for example, if you are logged into a terminal, use this flow to authenticate with user credentials and use a device code to refresh the token.

Here we use the `OAuthDeviceCode` credential provider.

<Note>
  To use this flow, select **Allow public client flows** under **Authentication** when registering the app in Entra ID.
</Note>

You can find the code sample [here](https://cognite-sdk-python.readthedocs-hosted.com/en/latest/cognite_client.html#cognite.client.credentials.OAuthDeviceCode).

## Authenticate with client secret

Use the `OAuthClientCredentials` credential provider for this flow. Use this flow for long-running jobs like extractors.

You can find the code sample [here](https://cognite-sdk-python.readthedocs-hosted.com/en/latest/credential_providers.html#cognite.client.credentials.OAuthClientCredentials).

<Info>
  The `token_url` should follow the pattern `https://login.microsoftonline.com/$tenantId/oauth2/v2.0/token` for Entra ID, where *\$tenantId* is the ID of the Entra ID tenant where the user is registered.
</Info>