What authentication methods does Redash support?

Redash supports built-in user management with email and password, Google OAuth for single sign-on with Google accounts, and SAML for enterprise-grade SSO with an external Identity Provider. API access uses API keys.

Can I use multi-factor authentication (MFA) with Redash?

Redash itself does not natively provide MFA for its built-in authentication. However, if you integrate Redash with Google OAuth or SAML, you can leverage MFA configured within your Google account or your organization's Identity Provider.

How do I configure Google OAuth for Redash?

To configure Google OAuth, an administrator must create OAuth 2.0 client credentials (Client ID and Client Secret) in the Google Cloud Console and set them as environment variables (REDASH_GOOGLE_CLIENT_ID, REDASH_GOOGLE_CLIENT_SECRET) on the Redash server.

Where can I find my Redash API key?

You can generate and manage your API keys from your user profile settings within the Redash web interface. Navigate to your profile and look for the 'API Keys' section.

Is SAML authentication supported in Redash?

Yes, Redash supports SAML for single sign-on (SSO), allowing integration with enterprise Identity Providers like Okta or Azure AD. This requires setting SAML-related environment variables on the Redash server.

How should I secure the credentials Redash uses to connect to data sources?

Redash encrypts data source credentials at rest. Additionally, ensure your Redash server's environment variables are protected, the underlying database storing Redash configuration is secure, and follow the principle of least privilege for data source access.

What is the default password policy for built-in Redash users?

By default, Redash requires a minimum password length of 6 characters for built-in users. Administrators can configure stricter password policies using environment variables.

Redash Authentication: Methods, Setup, and Security (2026)

Redash authentication: Redash supports various authentication methods, including built-in user management, Google OAuth, and SAML for single sign-on. API access relies on API keys for programmatic interaction. Configuration involves setting up environment variables or database parameters depending on the chosen method and Redash deployment.

Authentication overview

Redash provides mechanisms to secure access to its web interface and API, controlling who can query data and manage visualizations. The platform supports several authentication methods to accommodate different organizational security requirements, from local user accounts to enterprise single sign-on (SSO) solutions. Proper configuration of authentication is critical to protect sensitive data sources and ensure that only authorized users can access, create, or modify queries and dashboards.

Authentication in Redash primarily governs access to the Redash application itself, enabling users to log in. Once authenticated, user permissions, often linked to groups, determine access to specific data sources and functionalities within Redash. API authentication, distinct from user login, uses API keys to allow external applications to interact programmatically with Redash resources, such as fetching query results or managing data sources Redash help documentation.

Supported authentication methods

Redash offers a range of authentication options, allowing administrators to choose the method best suited for their environment and security policies. These methods address both interactive user logins and programmatic API access.

User Authentication Methods

Built-in User Management: This is the default method where Redash manages user accounts, including email and password. Users register directly within Redash, and administrators can invite new users and reset passwords. Passwords are cryptographically hashed before storage.
Google OAuth: Redash can integrate with Google as an OAuth 2.0 provider, allowing users to log in using their existing Google accounts. This method centralizes user authentication with a widely used identity provider Google OAuth 2.0 protocol overview, simplifying user management and leveraging Google's security infrastructure.
SAML (Security Assertion Markup Language): For enterprise environments, Redash supports SAML for single sign-on (SSO). SAML integration allows Redash to delegate authentication to an external Identity Provider (IdP) such as Okta, Azure AD, or OneLogin. This enables users to access Redash using their corporate credentials, streamlining access and enforcing enterprise-wide security policies.

API Authentication

API Keys: For programmatic access to Redash, users can generate API keys. These keys are unique tokens associated with a user account and grant access to Redash's API endpoints. API keys are typically used by scripts, external applications, or automated workflows to retrieve query results, manage data sources, or interact with dashboards without requiring a full user login session.

The following table summarizes the primary authentication methods available in Redash:

Method	When to Use	Security Level (General)
Built-in User Management	Small teams, self-hosted deployments without existing IdP, development environments.	Moderate (depends on password policies and storage security)
Google OAuth	Organizations using Google Workspace, desire for simplified user login, leveraging Google's security.	High (leveraging Google's robust authentication infrastructure)
SAML SSO	Enterprise environments, compliance requirements, existing Identity Provider (Okta, Azure AD, etc.), centralized user management.	High (delegates to enterprise-grade IdP, supports advanced features like MFA)
API Keys	Programmatic access, integrations with other applications, automated reporting, data extraction.	Moderate to High (depends on key management, rotation, and scope)

Getting your credentials

The process for obtaining and configuring credentials in Redash varies by the authentication method:

Built-in User Management

For New Users: An administrator can invite you via email, which provides a link to set up your password. Alternatively, if self-registration is enabled, you can sign up directly on the Redash login page and set your password.
For Existing Users: Your credentials are your email and the password you set during registration or the last password reset.
Setup: No specific server-side configuration is needed beyond enabling local user accounts (which is the default).

Google OAuth

Prerequisites: You need a Google account. The Redash instance administrator must configure Google OAuth.
Administrator Setup Steps:
1. Create a new project in the Google Cloud Console and enable the Google People API Google Cloud authentication guide.
2. Configure an OAuth consent screen and create OAuth 2.0 client credentials (Client ID and Client Secret).
3. Add the Redash instance's URI as an authorized redirect URI.
4. Set the following environment variables in the Redash server configuration: REDASH_GOOGLE_CLIENT_ID and REDASH_GOOGLE_CLIENT_SECRET Redash configuration documentation.
User Login: On the Redash login page, select the "Log in with Google" option.

SAML SSO

Prerequisites: An existing Identity Provider (IdP) configured for SAML (e.g., Okta, Azure AD, OneLogin).
Administrator Setup Steps:
1. Obtain the IdP metadata XML or the IdP Entity ID, SSO URL, and X.509 certificate from your Identity Provider.
2. Configure the Redash instance as a Service Provider (SP) in your IdP, providing Redash's Entity ID and ACS URL (Assertion Consumer Service URL).
3. Set the following environment variables in the Redash server: REDASH_SAML_METADATA_URL (or individual parameters like REDASH_SAML_ENTITY_ID, REDASH_SAML_SSO_URL, REDASH_SAML_CERT) Redash SAML configuration.
4. Ensure attribute mapping is correctly configured between your IdP and Redash (e.g., email address).
User Login: Users will typically be redirected to the IdP login page when attempting to access Redash, or they can initiate login from the IdP dashboard.

API Keys

Generation: API keys are generated by individual users within their Redash user profile settings. Navigate to your user profile and look for an "API Keys" section.
Usage: The generated API key is typically passed in the Authorization header of HTTP requests as a Bearer token, or as a query parameter (though header is preferred for security).
Management: Users can revoke existing API keys and generate new ones as needed from their profile.

Authenticated request example

This example demonstrates how to make an authenticated API request to Redash using an API key to fetch results from a specific query. Replace YOUR_REDASH_URL, YOUR_QUERY_ID, and YOUR_API_KEY with your actual values.

Example: Fetching Query Results via API Key

curl -X GET \
  "https://YOUR_REDASH_URL/api/queries/YOUR_QUERY_ID/results.json" \
  -H "Authorization: Key YOUR_API_KEY" \
  -H "Accept: application/json"

In this cURL command:

-X GET specifies the HTTP GET method.
"https://YOUR_REDASH_URL/api/queries/YOUR_QUERY_ID/results.json" is the endpoint for retrieving JSON results of a query.
-H "Authorization: Key YOUR_API_KEY" includes the API key in the Authorization header, prefixed with Key. This is the standard way to authenticate API requests with Redash API keys.
-H "Accept: application/json" indicates that the client expects a JSON response.

Successful execution returns the query results in JSON format. Incorrect API keys or insufficient permissions will result in an HTTP 403 Forbidden error.

Security best practices

Implementing strong authentication practices is essential for securing your Redash instance and the data it accesses.

Use Strong Passwords: For built-in user management, enforce strong, unique passwords for all users. Redash allows configuration of password complexity requirements via environment variables Redash environment variables.
Enable SSO (SAML or Google OAuth): Where possible, integrate Redash with an existing Identity Provider using SAML or Google OAuth. This centralizes user management, leverages enterprise-grade security features like multi-factor authentication (MFA), and reduces the risk of credential compromise across multiple systems. Many IdPs support FIDO Alliance standards for strong authentication FIDO Alliance website.
Regularly Rotate API Keys: API keys should be treated like passwords. Periodically revoke old API keys and generate new ones, especially for automated scripts or integrations. Avoid hardcoding API keys directly into code; use environment variables or a secure secret management system.
Principle of Least Privilege: Grant users and API keys only the minimum necessary permissions required to perform their tasks. For example, a user who only needs to view dashboards should not have administrator access or permissions to modify data sources.
Secure Data Source Credentials: The credentials Redash uses to connect to your data sources (e.g., database usernames and passwords) are critical. Redash encrypts these credentials at rest. Ensure your Redash server environment variables are protected and that the underlying database storing Redash's configuration is secure.
Keep Redash Updated: Regularly update your Redash instance to the latest stable version. Updates often include security patches that address vulnerabilities.
Monitor Access Logs: Regularly review Redash's access logs and your underlying server logs for unusual login attempts or suspicious activity.
HTTPS Everywhere: Always ensure your Redash instance is served over HTTPS to encrypt all communication between users and the Redash server, protecting credentials and data in transit.
Isolate Redash: Deploy Redash in a secure network segment, potentially behind a firewall, limiting its exposure to unnecessary network traffic.

Redash Authentication: Methods, Setup, and Security (2026)

Authentication overview

Supported authentication methods

User Authentication Methods

API Authentication

Getting your credentials

Built-in User Management

Google OAuth

SAML SSO

API Keys

Authenticated request example

Security best practices

Frequently asked questions

Reviews

Discussion

Written by