Authentication¶

Ray Token Authentication¶

Ray supports token authentication (v2.52.0+) which protects both gRPC (used by ray.init()) and HTTP (used by job submission) endpoints.

The client process needs two environment variables to be set:

RAY_AUTH_MODE=token
RAY_AUTH_TOKEN=<token> (or RAY_AUTH_TOKEN_PATH)

Authenticating Against Proxies¶

Pipes clients such as PipesKubeRayJobClient or PipesRayJobClient communicate with the Ray dashboard over HTTP. They support headers, cookies, and verify parameters for authentication:

PipesKubeRayJobClient(
    headers={"Authorization": "Bearer <token>"},
)

Tip

These parameters can also be overridden per-invocation in the PipesKubeRayJobClient.run method.

This is useful when submitting jobs across Kubernetes clusters, where the traffic may be flowing through a proxy requiring additional authentication.