Data API Authentication

SingleStore's Data API uses Basic and Bearer Authentication standards. You can also use JWTs for password-less access to the database with Bearer Authentication. To authenticate via JWTs, specify the JWT in the Bearer Authorization header. For successful authentication, the JWT must be signed using a key listed in the JWKS that is fetched from the jwks_endpoint in the engine. See Authenticate via JWT for more information.

To enable JWT-based authentication on SingleStoreDB,

  • Configure the JWKS endpoint. Set the jwks_endpoint variable on the database server.

  • Make a HTTP request to the /api/v2/jwks_setup endpoint using the POST method.

A user agent can authenticate with the server by sending its credentials in an Authorization request header. The Authorization header contains the authentication method (Basic or Bearer) followed by a space and then the authentication information constructed from a Base-64 encoded string username:password|JWT.

Authorization: [Basic | Bearer] <Base-64 encoded username:password|JWT>

For example, the Basic Authorization header for the username demo and password Afu4XjzB1ns would appear as follows, where ZGVtbzpBZnU0WGp6QjFucw== is the Base-64 encoding of the demo:Afu4XjzB1ns string.

Authorization: Basic ZGVtbzpBZnU0WGp6QjFucw==

If the server requires the user agent to authenticate itself after receiving an unauthenticated request, it will respond with a 401 Unauthorized status and the WWW-Authenticate header.


As the Basic and Bearer Authentication methods transfer the username and password (or JWTs) over the network in clear text, it must be used in conjunction with HTTPS/SSL for added security. The production usage of SingleStore's Data API should only take place with SSL (HTTPS) enabled to ensure that the authentication information is secure.

Last modified: May 5, 2023

Was this article helpful?