Managing Users and OAuth Clients in the RAI Console
A short guide to managing users and OAuth clients in the RAI Console.
User Roles
The RAI Console has two types of user roles: Admin and User.
User Role | Description |
---|---|
User | RAI Console users with the User role can manage databases, engines, models, queries, notebooks, and view transactions. |
Admin | RAI Console users with the Admin role can do all of the above, as well as manage users and OAuth clients. OAuth client authorizations are needed when using SDKs. |
Managing Users
When you log into the RAI Console as a user with admin permissions, you will see a Settings icon on the left-hand side of the Console.
To manage users, click the Settings icon.
A list of all previously added users appears.

To see information about users and change their status or role, click the user’s name in the list.
The following page appears:

Adding Users
To add a user:
- Click Create.

- In the page that opens, enter the user’s email and select a role — User or Admin — for the user.
- Click Create to add the user.

Users can now access the Console. After entering their email on the Console login page, users will be prompted to enter the password for their email account. On first use, users will be prompted to set up two-step verification using a one-time password application. For more details, see Logging into the RAI Console in Quick Start.
Deleting Users
To delete a user:
- Click the Settings icon.
- Click the user’s name.
- In the page that opens, click Delete.
Making a User Inactive
You can make users inactive, which prevents them from accessing the RAI Console.
To make a user inactive:
- Click the Settings icon.
- Click the user’s name.
- In the page that opens, change the user’s status from Active to Inactive.
- Click Save.
Granting a User Admin Permissions
You can give other users admin permissions.
To do so:
- Click the Settings icon.
- Click the user’s name.
- In the page that opens, change the user’s role from User to Admin.
- Click Save.
Managing OAuth Clients
To use RelationalAI SDKs, you will need to create and configure an OAuth client (opens in a new tab).
RelationalAI currently supports the following SDKs:
- C#.
- CLI.
- Go.
- Java.
- JavaScript.
- Julia.
- Python.
- CLI With VS Code.
- Python With VS Code.
To manage OAuth clients:
- Click the Settings icon.
- In the left-hand pane, click OAuth Clients.
A list of all previously added OAuth clients appears.
To see information on OAuth clients, click the OAuth client’s name in the list.

You can restrict permissions for OAuth clients. OAuth clients might only be able to list engines or list databases, but not delete them, for example.
Adding an OAuth Client
To add an OAuth client:
- Click the Settings icon.
- In the left-hand pane, click OAuth Clients.
- Click Create.
- In the page that opens, enter a name for the OAuth client and select permissions for the OAuth client. See Best Practices for Client Names and Secrets below.
- Click Save to add the OAuth client.

Deleting an OAuth Client
To delete an OAuth client:
- Click the Settings icon.
- In the left-hand pane, click OAuth Clients.
- Click the OAuth client that you want to delete.
- In the page that opens, click Delete.
Sharing OAuth Credentials
To share OAuth credentials:
- Click the Settings icon.
- In the left-hand pane, click OAuth Clients.
- Click the OAuth client for which you want to share credentials.
- In the page that opens, click the Copy icon for both
Client ID
andSecret
.

- Copy the client ID and secret to a text file and share the credentials in a secure manner.
Permissions for OAuth Clients
You can set the following permissions for OAuth clients:
Area | Permission Name | Explanation |
---|---|---|
Credits Usage | read:credits_usage | View details about credits usage. |
Database | create:database | Create databases. |
Database | delete:database | Delete databases. |
Database | list:database | List databases. |
Database | update:database | Update databases. |
Engine | create:engine | Create engines. |
Engine | delete:engine | Delete engine. |
Engine | list:engine | List engines. |
Engine | read:engine | View details about engines. |
OAuth client | create:oauth_client | Create OAuth clients. |
OAuth client | delete:oauth_client | Delete OAuth clients. |
OAuth client | list:oauth_client | List OAuth clients. |
OAuth client | read:oauth_client | View details about OAuth clients. |
OAuth client | update:oauth_client | Update OAuth clients. |
OAuth client - Secret | rotate:oauth_client_secret | Rotate OAuth clients secrets. |
Permission | list:permission | List API permissions. |
Role | list:role | List roles. |
Role | read:role | View details about roles. |
Transaction | cancel:transaction | Cancel transactions. |
Transaction | list:transaction | List transactions. |
Transaction | read:transaction | View details about transactions. |
Transaction | run:transaction | Run write and read-only transactions. |
Transaction | run-read:transaction | Run only read-only transactions. |
User | create:user | Create users. |
User | delete:user | Delete users. |
User | list:user | List users. |
User | read:user | View details about users. |
User | update:user | Update users. |
Changing Permissions for an OAuth Client
You can change an OAuth client’s permissions at any time.
To do so:
- Click the Settings icon.
- In the left-hand pane, click OAuth Clients.
- Click the OAuth client for which you want to change settings.
- In the page that opens, change permissions as needed.
- Click Save.

Rotating OAuth Secrets
To rotate the secret for an OAuth client:
- Click the Settings icon.
- In the righ-hand pane, click OAuth Clients.
- Click the OAuth client.
- In the page that opens, click Rotate.
- Use the Copy icon to the right of the Secret field to copy the secret to your SDK’s client configuration.
Best Practices for Client Names and Secrets
The OAuth client name is a public identifier for your application. You should use a meaningful name that you can remember.
The client secret is confidential and should only be used to authenticate your application and make requests through the SDK. You should not share the secret anywhere that is potentially unsecured, such as email, public code repositories, or web server files that can be viewed externally.
You are advised to rotate the client secret regularly using the steps above.
Configuring OAuth Clients for SDKs
In order to use OAuth, you will need to create a configuration file on the machine on which you’re running your SDK.
To do so:
- Create a file called
~/.rai/config
. - Enter the following information in the file:
[default]
region = us-east
host = azure.relationalai.com
port = 443
client_id = qvG73z47SKxQV5sxMUMLSOCIGSDVe70u
client_secret = <your secret goes here>
Parameter | Brief Explanation |
---|---|
region | Engine region — currently always us-east . |
host | Host for RelationalAI — currently always azure.relationalai.com . |
port | Port for RelationalAI — currently always 443 . |
client_id | Your OAuth client ID. |
client_secret | Your OAuth secret. |