Open source


otelcol.auth.oauth2 exposes a handler that can be used by other otelcol components to authenticate requests using OAuth 2.0.

The authorization tokens can be used by HTTP and gRPC based OpenTelemetry exporters. This component can fetch and refresh expired tokens automatically. For further details about OAuth 2.0 Client Credentials flow (2-legged workflow) see this document.

NOTE: otelcol.auth.oauth2 is a wrapper over the upstream OpenTelemetry Collector oauth2client extension. Bug reports or feature requests will be redirected to the upstream repository, if necessary.

Multiple otelcol.auth.oauth2 components can be specified by giving them different labels.


otelcol.auth.oauth2 "LABEL" {
    client_id     = "CLIENT_ID"
    client_secret = "CLIENT_SECRET"
    token_url     = "TOKEN_URL"


client_idstringThe client identifier issued to the client.yes
client_secretstringThe secret string associated with the client identifier.yes
token_urlstringThe server endpoint URL from which to get tokens.yes
endpoint_paramsmap(list(string))Additional parameters that are sent to the token endpoint.{}no
scopeslist(string)Requested permissions associated for the client.[]no
timeoutdurationThe timeout on the client connecting to token_url."0s"no

The timeout argument is used both for requesting initial tokens and for refreshing tokens. "0s" implies no timeout.


The following blocks are supported inside the definition of otelcol.auth.oauth2:

tlstlsTLS settings for the token

tls block

The tls block configures TLS settings used for connecting to the token client. If the tls block isn’t provided, TLS won’t be used for communication.

The following arguments are supported:

ca_pemstringCA PEM-encoded text to validate the server
ca_filestringPath to the CA
cert_pemstringCertificate PEM-encoded text for client
cert_filestringPath to the TLS
key_pemsecretKey PEM-encoded text for client
key_filestringPath to the TLS certificate
min_versionstringMinimum acceptable TLS version for connections."TLS 1.2"no
max_versionstringMaximum acceptable TLS version for connections."TLS 1.3"no
reload_intervaldurationThe duration after which the certificate will be reloaded."0s"no
insecurebooleanDisables TLS when connecting to the configured
insecure_skip_verifybooleanIgnores insecure server TLS
server_namestringVerifies the hostname of server certificates when

If the server doesn’t support TLS, the tls block must be provided with the insecure argument set to true. To disable tls for connections to the server, set the insecure argument to true.

If reload_interval is set to "0s", the certificate will never be reloaded.

The following pairs of arguments are mutually exclusive and cannot both be set simultaneously:

  • ca_pem and ca_file
  • cert_pem and cert_file
  • key_pem and key_file

Exported fields

The following fields are exported and can be referenced by other components:

handlercapsule(otelcol.Handler)A value that other components can use to authenticate requests.

Component health

otelcol.auth.oauth2 is only reported as unhealthy if given an invalid configuration.

Debug information

otelcol.auth.oauth2 does not expose any component-specific debug information.


This example configures otelcol.exporter.otlp to use OAuth 2.0 for authentication:

otelcol.exporter.otlp "example" {
  client {
    endpoint = "my-otlp-grpc-server:4317"
    auth     = otelcol.auth.oauth2.creds.handler

otelcol.auth.oauth2 "creds" {
    client_id     = "someclientid"
    client_secret = "someclientsecret"
    token_url     = ""

Here is another example with some optional attributes specified:

otelcol.exporter.otlp "example" {
  client {
    endpoint = "my-otlp-grpc-server:4317"
    auth     = otelcol.auth.oauth2.creds.handler

otelcol.auth.oauth2 "creds" {
    client_id       = "someclientid2"
    client_secret   = "someclientsecret2"
    token_url       = ""
    endpoint_params = {"audience" = ["someaudience"]}
    scopes          = ["api.metrics"]
    timeout         = "3600s"