Skip to main content

Organizations and Access

An ArrayLake Org represents an organization of Users that maintains multiple Repos. A company or institution will typically have a single Arraylake organization, and an Arraylake User can belong to one or more organizations.

When using the Arraylake API, the org identifier prefixes a repository name to uniquely identify a repository. For example my-company/sentinel-repo represents the sentinel-repo belonging to my-company.


Arraylake supports two methods of authenticating requests to the service:

  • User identities: A User authenticates directly
  • Service Accounts: An API token associated with a shared service account is used

Authenticating as a User

To authenticate as a user, use the Arraylake CLI. Running the following command will initiate the login flow by directing you to a login page associated with your organization:

arraylake auth login

# Or, if running from a remote environment
arraylake auth login --no-browser

This flow will yield a code that can be provided to the command line prompt and ultimately authenticate your access to the service.

Subsequently you can use arraylake auth logout to logout, or arraylake auth refresh to refresh your authenticated status.


For customers with custom SSO authentication support, it is required to first set an explicit user organization configuration value using arraylake config set <an-org-identifier>. If this is required, an identifier will be provided to you by the Earthmover team.

Authenticating as a Service Account

At this time, Service Account authentication is available via the Python API only. To authenticate as a service account pass the appropriate API token as a parameter to the Client. We recommend storing the token as an environment variable rather than hard coding the token in code. For example, if the environment variable MY_ARRAYLAKE_API_TOKEN is set, you can access it as follows:

import os
from arraylake import Client

api_token = os.environ.get('MY_ARRAYLAKE_API_TOKEN')
client = Client(token=api_token)

If present, the ARRAYLAKE_TOKEN environment variable will automatically be detected and used to populate the client token. This is the easiest way to configure access to Arraylake from automated scripts, cron jobs, and CI environments.

Service Account API Tokens

Service Account API tokens enable programmatic authentication to Arraylake services, supporting access from deployed services and jobs that run on behalf of a team or project.

Distribution & Management

  • Tokens must be issued by the Earthmover team. If you would like API tokens, please reach out.
  • Tokens are a single string, prefixed with the ema_ identifier.
    • Example Token: ema_123456789123456789_123456789123456789123456789.
  • Tokens should be considered secret, and should not be shared publicly. Owners should take appropriate precautions when distributing in deployed environments. For example: consider storing the token in a service like AWS SSM Paramater store to enable deployed services or jobs to acces them.

Token Properties

  • Tokens are associated with shared Service Accounts. They are intended to be used for machine-to-machine authentication on behalf of these accounts, and should not be used for individual user access to services.
  • Tokens are associated with a Service Account identifier of the form: <name>@<org> The <name> component of this identifier is defined by the requester. It is possible to have multiple tokens associated with a single Service Account. (Note that this is not actually a valid email address.)
  • Tokens expire after 1 year by default. This is configurable as needed by the requester.