/  Python Yamcs Client  /  General Client  /  Authentication


User Accounts

Yamcs Server can be configured for different authentication setups.

The common use case is to entrust Yamcs with validating user credentials (either by locally verifying passwords, or by delegating to an upstream server such as an LDAP tree).

To authenticate in such a scenario, do:

credentials = Credentials(username="admin", password="password")
client = YamcsClient("localhost:8090", credentials=credentials)

In the background this will convert your username/password credentials to an access token with limited lifetime, and a long-lived refresh token for automatically generating new access tokens.

Further HTTP requests do not use your username/password but instead use these tokens.

Service Accounts

Service accounts are useful in server-to-server scenarios. Support for service accounts will be available in future releases.


class yamcs.core.auth.APIKeyCredentials(key: str)

Bases: Credentials

before_request(session: Session, auth_url: str)
is_expired() bool
login(*args, **kwargs)
class yamcs.core.auth.BasicAuthCredentials(username: str, password: str)

Bases: Credentials

Data holder for Basic Auth credentials. This includes a username and a password which are passed in the HTTP Authorization header on each request.

before_request(session: Session, auth_url: str)
is_expired() bool
login(*args, **kwargs)
class yamcs.core.auth.Credentials(username: Optional[str] = None, password: Optional[str] = None, access_token: Optional[str] = None, refresh_token: Optional[str] = None, expiry: Optional[datetime] = None, client_id: Optional[str] = None, client_secret: Optional[str] = None, become: Optional[str] = None)

Bases: object

Data holder for different types of credentials. Currently this includes:

  • Username/password credentials (fields username and password)

  • Bearer tokens (fields access_token and optionally refresh_token)


Short-lived bearer token.


Name of the user to impersonate. Only service accounts with impersonation authority can use this feature.

before_request(session: Session, auth_url: str)

The client ID. Currently used only by service accounts.


The client secret. Currently used only by service accounts.


When this token expires.

is_expired() bool
login(session: Session, auth_url: str, on_token_update: Optional[Callable[[Credentials], None]]) Credentials

Clear-text password (consider TLS!).

refresh(session: Session, auth_url: str)

Refresh token used to request a new access token.


Username (only needed when using username/password credentials).