Access control becomes critical as your deployment moves beyond development into production with multiple users or applications.

Authentication strategy

Weaviate supports multiple authentication methods.

If developing or evaluating → Anonymous access (temporarily)

• Never use in production due to security risks

If you have existing identity infrastructure → OIDC integration

• Integrates with SSO systems
• Example: Enterprise with existing Okta setup

If you need simple API access → API keys

• Direct authentication for services and development
• Example: Microservices or CI/CD pipelines

If you need both human and machine access → OIDC + API keys

• OIDC for users, API keys for automated systems

Authorization schemes

Simple authorization

If simple admin vs. read-only distinction → Admin list authorization

• Admins get full access, users get read-only
• Example: Internal knowledge base with few administrators

Advanced authorization

If you need granular permissions → Role-Based Access Control (RBAC)

• Custom roles with collection-level and operation-level permissions
• Example: Multi-department deployment with different access needs

If using multi-tenant collections → Combine RBAC with tenant-specific roles

• Roles scoped to specific tenants for data isolation
• Example: SaaS applications with customer data separation

Learn more

• Configuration: Authentication | Configuration: Authorization

What's next?

Let's explore disaster recovery and backup strategies to protect your production data.