User Credentials

There are several types of credentials that you manage with Oracle Cloud Infrastructure Identity and Access Management (IAM):

  • Console password: For signing in to the Console, the user interface for interacting with Oracle Cloud Infrastructure. Note that federated users can't have Console passwords because they sign in through their identity provider. See Federating with Identity Providers.
  • API signing key (in PEM format): For sending API requests, which require authentication.
  • Auth token: An Oracle-generated token that you can use to authenticate with third-party APIs. For example, use an auth token to authenticate with a Swift client when using Recovery Manager (RMAN) to back up an Oracle Database System (DB System) database to Object Storage.
  • Customer Secret Keys: For using the Amazon S3 Compatibility API with Object Storage. See Amazon S3 Compatibility API.
  • OAuth 2.0 Client Credentials: For interacting with the APIs of those services that use OAuth 2.0 authorization. See OAuth 2.0 Client Credentials.
  • SMTP Credentials: For using the Email Delivery service.

API signing keys are different from the SSH keys you use to access a compute instance (see Security Credentials). For more information about API signing keys, see Required Keys and OCIDs. For more information about instance SSH keys, see Managing Key Pairs.

User Password

The administrator who creates a new user in IAM also needs to generate a one-time Console password for the user (see To create or reset another user's Console password). The administrator needs to securely deliver the password to the user by providing it verbally, printing it out, or sending it through a secure email service.

When the user signs in to the Console the first time, they'll be immediately prompted to change the password. If the user waits more than 7 days to initially sign in and change the password, it will expire and an administrator will need to create a new one-time password for the user.

Once the user successfully signs in to the Console, they can use Oracle Cloud Infrastructure resources according to permissions they've been granted through policies.


A user automatically has the ability to change their password in the Console. An administrator does not need to create a policy to give a user that ability.

Changing a Password

If a user wants to change their own password sometime after they change their initial one-time password, they can do it in the Console. Remember that a user can automatically change their own password; an administrator does not need to create a policy to give the user that ability.

For more information, see To change your Console password.

If a User Needs Their Console Password Reset

If a user forgets their Console password and also has no access to the API, they can use the Console's Forgot Password link to have a temporary password sent to them. This option is available if the user has an email address in their user profile.

If the user does not have an email address in their user profile, then they need to ask an administrator to reset their password for them. All administrators (and anyone else who has permission to the tenancy) can reset Console passwords. The process of resetting the password generates a new one-time password that the administrator needs to deliver to the user. The user will need to change their password the next time they sign in to the Console.

If you're an administrator who needs to reset a user's Console password, see To create or reset another user's Console password.

If a User Is Blocked from Signing In to the Console

If a user tries 10 times in a row to sign in to the Console unsuccessfully, they will be automatically blocked from further attempts. They'll need to contact an administrator to get unblocked (see To unblock a user).

API Signing Keys

A user who needs to make API requests must have an RSA public key in PEM format (minimum 2048 bits) added to their IAM user profile and sign the API requests with the corresponding private key (see Required Keys and OCIDs).


A user automatically has the ability to generate and manage their own API keys in the Console or API. An administrator does not need to write a policy to give the user that ability. Remember that a user can't use the API to change or delete their own credentials until they themselves save a key in the Console, or an administrator adds a key for that user in the Console or the API.

If you have a non-human system that needs to make API requests, an administrator needs to create a user for that system and then add a public key to the IAM service for the system. There's no need to generate a Console password for the user.

For instructions on generating an API key, see To add an API signing key.

OAuth 2.0 Client Credentials


OAuth 2.0 Client Credentials are not available in the United Kingdom Government Cloud (OC4).

OAuth 2.0 client credentials are required to interact programmatically with those services that use the OAuth 2.0 authorization protocol. The credentials enable you to obtain a secure token to access those service REST API endpoints. The allowed actions and endpoints granted by the token depend on the scopes (permissions) that you select when you generate the credentials. For more information, see Working with OAuth 2.0 Client Credentials.

Auth Tokens

Auth tokens are authentication tokens generated by Oracle. You use auth tokens to authenticate with third-party APIs that do not support the Oracle Cloud Infrastructure signature-based authentication, for example, the Swift API. If your service requires an auth token, the service-specific documentation instructs you to generate one and how to use it.