Authentication Methods
CloudExplain provides two secure authentication methods for uploading and processing your model explanations. Choose the approach that best fits your security requirements and infrastructure.
All authentication methods are handled securely by the CloudExplain open-source package, ensuring your model data and credentials remain protected throughout the upload and processing pipeline.
Secure token verification with dynamic SAS token generation for isolated uploads
How it Works:
Generate API token from CloudExplain dashboard
Token is verified by the upload_via_token Azure Function
If valid, receive SAS token for specific storage folder
Data uploaded to isolated folder, processing triggered
Upload directly to Azure Storage with automatic event-triggered processing
How it Works:
Configure storage connection string in your environment
CloudExplain uploads data directly to specified blob storage
Event trigger automatically initiates data processing
Implementation Examples
Recommended approach using secure API tokens with verification
import cloudexplain
# Option 2: Token-Based Authentication (Recommended)
# Authenticate via API token, get SAS token, then upload
with cloudexplain.azure.explain(
model=model,
X=X_test,
y=y_test,
model_name="Token Auth Model",
explanation_name="Token Authentication Example",
model_description="Using secure token-based authentication",
explanation_env="prod",
data_source="production dataset",
ml_type="binary_classification",
feature_descriptions=feature_descriptions,
baseline_data=X_train,
# Token-based authentication
api_token="your_api_token_here", # Generated from /dashboards/analytics/tokens
function_url="https://your-env-execute-containers.azurewebsites.net/api/upload_via_token"
) as run:
# 1. Token is verified by upload_via_token function
# 2. If valid, you receive a SAS token for specific folder
# 3. Data is uploaded to designated storage location
# 4. Processing is triggered automatically
print(f"Authentication successful: {run.explanation_id}")
print("Secure upload completed with token verification")Required Parameters:
api_tokenfunction_url Azure Function endpoint for token verification
Note: you need write access to the storage account to use this method. Direct access approach for enterprise environments
import cloudexplain
# Option 1: Direct Storage Upload
# Upload directly to storage, then trigger processing via event
with cloudexplain.azure.explain(
model=model,
X=X_test,
y=y_test,
model_name="Direct Upload Model",
explanation_name="Direct Storage Upload Example",
# Storage configuration
storage_connection_string="your_storage_connection_string",
container_name="explanations",
blob_path="models/my_model/explanation_2025_06_14"
) as run:
# Data is uploaded directly to Azure Storage
# Event triggers automatic processing
print(f"Upload completed: {run.blob_url}")
print("Processing will start automatically via event trigger")Required Configuration:
storage_connection_string Azure Storage account connection string
container_name Target container for explanations
Security Features
All API tokens are verified server-side before granting access to storage resources. Invalid or expired tokens are immediately rejected.
Each authenticated session receives access to an isolated storage folder, ensuring data separation between users and projects.
Once data is uploaded, processing is triggered automatically through secure event-driven architecture without manual intervention.
Token Management
- Use short-lived tokens when possible
- Store tokens securely in environment variables
- Rotate tokens regularly for production use
- Revoke unused tokens immediately
Data Security
- Always use HTTPS endpoints
- Avoid logging sensitive authentication data
- Use network security groups for additional protection
- Monitor access logs for unusual activity