Book a Demo Start Instantly

TiDB Cloud is a powerful MySQL-compatible database-as-a-service (DBaaS) for diverse industries, trusted by many leading companies such as Catalyst and CAPCOM. Today, we’re thrilled to announce a major update: TiDB Cloud now supports OAuth 2.0!

OAuth 2.0 is a secure authorization protocol that lets you leverage existing login credentials from platforms like Google, Microsoft, and other Single Sign-On (SSO) providers. This gives you:

  • Easy sign-in: Use your existing logic from platforms like Google or Microsoft to access TiDB Cloud. No more juggling multiple credentials or needing to remember multiple passwords
  • Enhanced security: OAuth 2.0 eliminates the need to store passwords within TiDB Cloud, reducing the risk of data breaches

This post dives into how OAuth 2.0 makes signing into your TiDB Cloud databases a breeze for your users. We’ll explore the benefits of OAuth and how to get it set up.

TiDB Cloud’s Support for OAuth 2.0

OAuth 2.0 is a secure way to sign in to apps without sharing your password. It lets you grant access to third-party applications, so you can keep track of permissions and enjoy a more secure login experience.

Key benefits of OAuth 2.0 include:

  • Security: By using token-based authentication, OAuth 2.0 minimizes the risk of password theft and unauthorized access.
  • Convenience: Users can grant and revoke access to their data without managing multiple credentials.
  • Control: Users can specify the exact level of access granted to third-party applications, ensuring only necessary permissions are given.

You can learn more about OAuth 2.0 here.

OAuth 2.0 Grant Types in TiDB

The OAuth 2.0 standard specifies several different grant types. TiDB Cloud currently supports two of these types: Authorization Code and Device Code.

Grant TypeDescriptionExample Use Case
Device CodeWeak input device, the user confirms the authorization code, and the developer application obtains the token.Limited input devices such as smart TVs and IoT devices
Applications running on TiDB access TiDB Cloud API
Authorization CodeUser authorization, generate an authorization code Code, and the developer application obtains the Token through the Code.Web applications accessing the TiDB Cloud API

Today, we’ll walk through the Device Code flow. In a subsequent post, we will cover the Authorization Code flow in more detail.

TiDB Cloud OAuth Example using Device Code: TiDB Cloud CLI

Tired of juggling API keys? The latest TiDB Cloud CLI lets you ditch them with built-in OAuth. Simply authenticate once, and you’ll have secure access to manage your database clusters and DBaaS features directly from the command line. This integration allows you to interact with your TiDB Cloud resources conveniently, securely, and efficiently.

Using TiDB Cloud CLI with OAuth: Step-by-Step Instructions

1. Install TiDB Cloud CLI: Download and install the latest version of the TiDB Cloud CLI from the TiDB Cloud website.

2.Enable OAuth authentication: Run the CLI command to start the OAuth device code flow. The CLI will display a user code and a URL.

CLI Command

Enter ticloud auth login in the CLI to send an HTTP POST request to the OAuth authorization server, returning a user_code and verification_uri.

3.Authorize the CLI:

Authorize the CLI

After receiving the user_code and verification_uri, the TiDB Cloud CLI will launch a browser for authentication and authorization.

  • If the user is not logged in, they must first authenticate:
Sign In
  • After user login and identity confirmation, an authorization code is displayed:
Device Confirmation
  • The user then selects the scope of authorization:
Confirm your authorization
  • Next, the user confirms the authorization to complete the process:
  • Finally, the TiDB Cloud CLI confirms that the login has been successfully completed.
Successfully logged in

4.Enjoy secure access to TiDB Cloud: Once authorized, the CLI will receive an access token, allowing you to manage your database clusters and utilize TiDB Cloud’s DBaaS capabilities directly from the command line.

Advanced Applications of OAuth 2.0 in TiDB Cloud

We’ve covered the basics of getting started with TiDB CLI and OAuth. Now, let’s look at some more advanced use cases to unlock the full potential of this powerful combination.

Obtaining an Access Token

TiDB Cloud CLI polls the OAuth authorization server to confirm that the user has completed authorization and to obtain an Access Token.

  • The server’s response will include both an Access Token and a Refresh Token.
  • The Access Token has a limited lifespan. If the application needs long-term access to an API, it can use the Refresh Token to obtain a new Access Token.

Access TiDB Cloud Services

After obtaining the access token for TiDB Cloud CLI, you can add it to the request header to call the TiDB Cloud API, such as the List Project or List Cluster API.

Call the List Project API:

Enter the ticloud project list command in the TiDB Cloud CLI, and the CLI will call the List Project API. The request example is as follows:

GET /v1beta1/projects?page=1&page_size=10 HTTP/1.1
Authorization: Bearer access_token

Call the List Cluster API:

Enter the ticloud serverless list command in TiDB Cloud CLI, and the CLI will call the List Cluster API. The request example is as follows:

GET /v1beta1/clusters?page=1&page_size=10 HTTP/1.1
Authorization: Bearer access_token

Revoking OAuth Authorization

If a user needs to revoke the application’s access permissions, they can do so by calling the revocation interface. In the TiDB Cloud CLI scenario, when a user executes the logout command, the revocation interface is called to invalidate the user’s authorization, Access Token, and Refresh Token.

Revoking OAuth Authorization


OAuth integration isn’t just a convenience; it’s a game-changer for TiDB Cloud security and efficiency. With OAuth integration, you can streamline workflows, enforce granular access controls, and safeguard your data – all with the power of modern authentication.

You can start integrating OAuth with TiDB Cloud today to unlock a smoother, more secure cloud database experience.

Next steps

Spin up a Serverless database with 25GiB free resources.

Start Now

Have questions? Let us know how we can help.

Contact Us
TiDB Dedicated

TiDB Dedicated

A fully-managed cloud DBaaS for predictable workloads

TiDB Dedicated

TiDB Serverless

A fully-managed cloud DBaaS for auto-scaling workloads