What is the primary authentication method for Qdrant?

The primary authentication method for Qdrant is API key-based authentication. Clients include a unique API key in the 'api-key' HTTP header with their requests.

How do I get an API key for Qdrant Cloud?

For Qdrant Cloud, you generate an API key through your project settings in the Qdrant Cloud dashboard. It's crucial to copy and store the key securely upon generation, as it might not be shown again.

How do I secure a self-hosted Qdrant instance with an API key?

For self-hosted Qdrant, you enable and define the API key within the Qdrant configuration file (e.g., 'config.yaml') or via environment variables, then restart the Qdrant service for changes to take effect.

Where should I store my Qdrant API key?

API keys should never be hardcoded. Store them securely using environment variables, dedicated secret management services (like AWS Secrets Manager or Google Cloud Secret Manager), or secure configuration files, fetching them at runtime.

Can I use different authentication methods like OAuth 2.0 with Qdrant?

Qdrant's core authentication is API key-based. While you can integrate Qdrant into systems using OAuth 2.0 (e.g., an identity provider issues a token to your client, which then uses a Qdrant API key), Qdrant itself does not natively support OAuth 2.0 as a direct authentication mechanism for client-to-Qdrant communication.

What is the 'api-key' header and why is it used?

The 'api-key' HTTP header is where your unique Qdrant API key is transmitted with each request. The Qdrant server then uses this key to verify your identity and determine if you have the necessary permissions to perform the requested operation, ensuring secure access.

Does Qdrant Cloud provide role-based access control for API keys?

Qdrant Cloud typically offers mechanisms to manage API key permissions and user roles. It is a best practice to configure API keys with the principle of least privilege, granting only the necessary access for their specific function.

Qdrant Authentication: Methods, Credentials & Security (2026)

Qdrant authentication ensures secure access to vector database operations for both self-hosted and cloud deployments. It primarily relies on API keys or tokens, typically passed via an 'api-key' header, to verify client identity and authorize requests. This mechanism protects data and prevents unauthorized interactions with your vector collections and indices.

Authentication overview

Qdrant, a vector database, employs authentication mechanisms to control access to its API endpoints, ensuring that only authorized clients can perform operations such as creating collections, inserting vectors, or executing search queries. This is crucial for maintaining data integrity and confidentiality, especially when deploying Qdrant for semantic search, recommendation systems, or generative AI applications. The approach to authentication varies slightly between Qdrant Cloud and self-hosted instances, though both predominantly leverage API keys for client verification.

For Qdrant Cloud users, authentication is managed directly through the cloud platform, where API keys are generated and administered. These keys serve as bearer tokens, granting access based on the permissions associated with the key. In self-hosted Qdrant deployments, authentication can be configured at the instance level, typically involving the generation and management of API keys within the deployment environment. This allows administrators to secure their vector database instances against unauthorized access from internal or external networks. Both scenarios highlight the importance of securely storing and transmitting these credentials to prevent misuse.

Supported authentication methods

Qdrant primarily supports API key-based authentication. This method involves generating a unique key that clients include with their API requests. The server then validates this key to grant or deny access. This is a common and straightforward method for securing API access, suitable for both programmatic and manual interactions with the Qdrant API.

Method	When to Use	Security Level	Details
API Key (Bearer Token)	All client-server interactions with Qdrant Cloud or self-hosted instances.	High (when managed securely)	A secret string passed in the `api-key` HTTP header. This key authorizes requests based on the permissions granted to it.

While API keys are the primary method, the underlying security infrastructure for Qdrant Cloud also incorporates practices that contribute to overall data protection, such as SOC 2 Type II compliance, as listed in the Qdrant entity payload. For self-hosted deployments, additional security layers like network segmentation, firewall rules, and TLS encryption for communication can be implemented independently to enhance the security posture beyond just API key validation. The official Qdrant documentation provides detailed guidance on configuring these security measures for self-managed instances Qdrant security documentation.

Getting your credentials

The process for obtaining authentication credentials for Qdrant depends on whether you are using Qdrant Cloud or a self-hosted instance.

For Qdrant Cloud

Sign Up/Log In: Navigate to the Qdrant Cloud platform and either create a new account or log in to an existing one.
Access Project Settings: Once logged in, locate your project or cluster settings. This is typically found in a dashboard or project management section.
Generate API Key: Look for a section related to API keys, access tokens, or security credentials. There should be an option to generate a new API key. Follow the prompts to create the key. It's common for cloud providers to display the key only once upon creation, so ensure you copy it immediately and store it securely.
Permissions (if applicable): Some platforms allow you to assign specific permissions or roles to your API key. Configure these according to the principle of least privilege, granting only the necessary access for your application.

For Self-Hosted Qdrant

For self-hosted Qdrant instances, API key generation is part of the instance configuration. You typically define the API key within the Qdrant configuration file (e.g., config.yaml) or pass it as an environment variable when starting the Qdrant service. The Qdrant documentation details the exact configuration parameters required to enable and set an API key for a self-hosted deployment Qdrant self-hosted API key setup.

Edit Configuration: Access the Qdrant configuration file (e.g., config.yaml).
Enable Authentication: Locate the authentication section and enable API key authentication.
Define API Key: Set a strong, unique API key string.
Restart Service: Restart your Qdrant instance for the changes to take effect.

Regardless of the deployment type, always treat your API keys as sensitive information. Compromised API keys can lead to unauthorized data access or manipulation. Industry best practices recommend storing sensitive credentials in environment variables or dedicated secret management services rather than hardcoding them directly into application code. For example, Google Cloud's Secret Manager Google Cloud Secret Manager overview or AWS Secrets Manager AWS Secrets Manager documentation provide secure ways to manage API keys.

Authenticated request example

When making requests to the Qdrant API, your API key should be included in the api-key HTTP header. This applies to all API interactions, whether using HTTP directly or through one of Qdrant's client SDKs (Python, Go, Rust, TypeScript, Java, C#).

HTTP Request Example (cURL)

This example demonstrates how to list collections using a cURL command with an API key:

curl -X GET \ 
  'https://YOUR_QDRANT_HOST:6333/collections' \ 
  -H 'api-key: YOUR_API_KEY' \ 
  -H 'Content-Type: application/json'

Replace YOUR_QDRANT_HOST with your Qdrant instance's address (e.g., your Qdrant Cloud URL or localhost for self-hosted) and YOUR_API_KEY with your actual API key.

Python SDK Example

Using the Python client library, you would typically pass the API key when initializing the client:

from qdrant_client import QdrantClient
import os

# It's recommended to store your API key securely, e.g., in an environment variable
QDRANT_API_KEY = os.getenv("QDRANT_API_KEY")
QDRANT_HOST = os.getenv("QDRANT_HOST", "localhost") # Default to localhost if not set
QDRANT_PORT = os.getenv("QDRANT_PORT", 6333) # Default to 6333 if not set

if QDRANT_API_KEY:
    client = QdrantClient(
        host=QDRANT_HOST,
        port=QDRANT_PORT,
        api_key=QDRANT_API_KEY,
        grpc_port=6334, # Optional: if using gRPC
        prefer_grpc=True # Optional: if using gRPC
    )
else:
    # For self-hosted instances without API key or local development
    client = QdrantClient(host=QDRANT_HOST, port=QDRANT_PORT)

# Example operation: print existing collections
print(client.get_collections())

This Python example demonstrates fetching the API key from an environment variable, which is a recommended security practice. The QdrantClient constructor then accepts this key for authentication.

Go SDK Example

For Go applications, the API key is also typically provided during client initialization:

package main

import (
	"context"
	"fmt"
	"log"
	"os"

	"github.com/qdrant/go-client/qdrant"
	"google.golang.org/grpc"
	"google.golang.org/grpc/credentials/insecure"
)

func main() {
	apiKey := os.Getenv("QDRANT_API_KEY")
	host := os.Getenv("QDRANT_HOST")
	if host == "" {
		host = "localhost"
	}

	// Prepare gRPC dial options
	dialOptions := []grpc.DialOption{
		grpc.WithTransportCredentials(insecure.NewCredentials()), // Use insecure for local or managed by reverse proxy
	}

	if apiKey != "" {
		dialOptions = append(dialOptions, grpc.WithPerRPCCredentials(qdrant.NewAPIKeyCredentials(apiKey)))
	}

	conn, err := grpc.Dial(fmt.Sprintf("%s:%s", host, os.Getenv("QDRANT_GRPC_PORT", "6334")), dialOptions...)
	if err != nil {
		log.Fatalf("could not connect to qdrant: %v", err)
	}
	defer conn.Close()

	client := qdrant.NewCollectionsClient(conn)

	// Example operation: get all collections
	collections, err := client.List(context.Background(), &qdrant.ListCollectionsRequest{})
	if err != nil {
		log.Fatalf("could not list collections: %v", err)
	}

	fmt.Println("Collections:", collections.GetCollections())
}

This Go example showcases how to inject the API key into the gRPC connection options, allowing the client to authenticate with the Qdrant service.

Security best practices

Implementing strong security practices for Qdrant authentication is essential to protect your data and prevent unauthorized access. Consider the following recommendations:

Use Environment Variables or Secret Management: Never hardcode API keys directly into your source code. Instead, store them in environment variables or utilize a dedicated secret management service (e.g., AWS Secrets Manager, Google Cloud Secret Manager, Azure Key Vault Azure Key Vault overview). This prevents keys from being exposed in version control systems and provides a centralized, secure way to manage credentials.
Principle of Least Privilege: Grant API keys only the minimum necessary permissions required for their intended function. If your Qdrant deployment supports granular access control, configure keys to have restricted access to specific collections or operations. For Qdrant Cloud, ensure that user roles and API key permissions are carefully managed.
Rotate API Keys Regularly: Periodically rotate your API keys, especially if there's a change in personnel or a suspected compromise. This limits the window of exposure for any single key. Establish a regular rotation schedule as part of your security policy.
Secure Communication with TLS/SSL: Always ensure that communication between your client applications and the Qdrant instance is encrypted using TLS/SSL. Qdrant Cloud automatically handles this, but for self-hosted instances, you must configure TLS for both HTTP and gRPC endpoints. This protects your API key and data from interception during transit.
Monitor Access Logs: Regularly review access logs for your Qdrant instance to detect any unusual or unauthorized access attempts. Anomalous activity, such as requests from unknown IP addresses or a high volume of failed authentication attempts, should trigger alerts.
Network Security for Self-Hosted: For self-hosted Qdrant, implement network security measures such as firewalls and network segmentation. Restrict access to the Qdrant ports (e.g., 6333 for HTTP, 6334 for gRPC) only to trusted IP addresses or internal networks where your applications reside. Avoid exposing Qdrant directly to the public internet without proper security layers.
Input Validation: While authentication verifies the client, robust input validation on all data sent to Qdrant is crucial to prevent injection attacks or malformed data that could exploit vulnerabilities.
Keep Qdrant Updated: Always run the latest stable version of Qdrant to benefit from security patches and bug fixes. Regularly check the official Qdrant releases and update your instances.

Qdrant Authentication: Methods, Credentials & Security (2026)

Authentication overview

Supported authentication methods

Getting your credentials

For Qdrant Cloud

For Self-Hosted Qdrant

Authenticated request example

HTTP Request Example (cURL)

Python SDK Example

Go SDK Example

Security best practices

Frequently asked questions

Reviews

Discussion

Written by