Documentationbreadcrumb arrow Pluginsbreadcrumb arrow Infinity data sourcebreadcrumb arrow Setupbreadcrumb arrow Authentication
Open source

Authentication

Infinity data source supports the following authentication methods:

  • No authentication
  • Basic authentication
  • Bearer token authentication
  • API key authentication
  • Digest authentication
  • OAuth passthrough
  • OAuth 2.0 client credentials
  • OAuth 2.0 JWT authentication
  • Azure authentication
  • Azure blob
  • AWS authentication

No authentication

If your APIs don’t require any authentication, select the No Authentication method.

Basic

Basic authentication sends a username and password with your request. In the request headers, the Authorization header uses the Basic <BASE64_ENCODED_USERNAME_AND_PASSWORD> format.

Bearer token

Bearer token enable requests to authenticate using an access key, such as a JSON Web Token (JWT) or personal access token. In the request headers, the Authorization header uses the Bearer <API_KEY> format.

Tip

If you need a custom prefix instead of Bearer prefix, use API key authentication instead with the key of Authorization.

API key

With API key authentication, you can send a key-value pair to the API via request headers or query parameters. API key authentication requires following parameters:

KeyDescription
KeyKey of the API token. This becomes the key of the header or query parameter.
ValueValue of the API token
InAccepts header/query. Most APIs accept API keys via headers as a preferred way of sending API keys. Sending API keys via the query parameter is.

Tip

It’s easy to confuse API key authentication with Bearer token authentication. Ensure sure you are using the correct authentication mechanism.

Digest

Digest authentication enable requests to authenticate using RFC7616 HTTP Digest Access Authentication protocol.

OAuth passthrough

If your Grafana user is already authenticated via OAuth, this authentication method forwards the OAuth tokens to the API.

OAuth 2.0 client credentials

OAuth 2.0 client credentials require the following parameters:

KeyDescription
Client IDClientID is the application’s ID.
Client SecretClientSecret is the application’s secret.
Token URLTokenURL is the resource server’s token endpoint URL. This is a constant specific to each server.
ScopesScope specifies optional requested permissions.
Endpoint paramsEndpointParams specifies additional parameters for requests to the token endpoint.

Customizing OAuth2 Tokens

In Infinity, OAuth2.0 client credentials authentication supports advanced customization for scenarios where APIs require non-standard token formats or headers. For detailed information on customizing OAuth2 token headers and templates, see OAuth2 Custom Tokens.

Key features:

  • Custom header names (e.g., X-API-Key instead of Authorization)
  • Custom token value format (e.g., Token ${__oauth2.access_token} instead of Bearer ${__oauth2.access_token})
  • Support for multiple token properties (access token, refresh token, token type)

OAuth 2.0 JWT

OAuth 2.0 JWT require the following parameters

KeyDescription
EmailEmail is the OAuth client identifier used when communicating with the configured OAuth provider.
Private KeyPrivateKey contains the contents of an RSA private key or the contents of a PEM file that contains a private key.
Private Key IdentifierOptional. PrivateKeyID contains an optional hint indicating which key to use.
Token URLTokenURL is the endpoint required to complete the 2-legged JWT flow.
SubjectOptional. Subject is the optional user to impersonate.
ScopesScopes optionally specifies a list of requested permission scopes. Provide scopes as a comma separated values.

Infinity OAuth 2.0 JWT authentication also supports token customization. See OAuth2 Custom Tokens for details.

Azure

If you want to authenticate your API endpoints via Microsoft Azure authentication, refer to Azure authentication.

Azure Blob

To retrieve content from Azure blob storage, you need to provide the following information:

KeyDescription
Azure CloudOptional.
Azure Cloud / https://<your-storage-account-name>.blob.core.windows.net/
Azure US Government / https://<your-storage-account-name>.blob.core.usgovcloudapi.net/
Azure China / https://<your-storage-account-name>.blob.core.chinacloudapi.cn/
Storage account nameRequired.
Storage account keyRequired. Provide either primary key or secondary key

AWS

If you want to authenticate your API endpoints via Amazon AWS authentication, refer to AWS authentication.

Private data source connect (PDC)

Use private data source connect (PDC) to connect to and query data within a secure network without opening that network to inbound traffic from Grafana Cloud. See Private data source connect for more information on how PDC works and Configure Grafana private data source connect (PDC) for steps on setting up a PDC connection.

If you use PDC with AWS Authentication, the PDC agent must allow internet egress tosts.<region>.amazonaws.com:443.

  • Private data source connect - Click in the box to set the default PDC connection from the dropdown menu or create a new connection.

Once you have configured your Infinity data source options, click Save & test at the bottom to test out your data source connection. You can also remove a connection by clicking Delete.