Integrate Authorizer with Astra DB Serverless

Authorizer provides authentication and authorization for applications. It integrates with many database providers, including Astra DB Serverless.

This guide explains how to configure an Astra connection for an Authorizer deployment.

Create keyspace and get credentials

  1. Create an Astra DB Serverless database or use an existing one.

  2. Create a keyspace named authorizer, but don’t create any tables in it.

    When you connect a database to your Authorizer instance, Authorizer creates the required tables to manage user data and authentication.

  3. Generate an application token with a role that can read and write to the database, such as the Database Administrator role.

  4. Download your database’s Secure Connect Bundle (SCB).

    For multi-region databases and custom domains, make sure you download the correct SCB type.

  5. Extract the SCB archive.

    Authorizer can’t process the SCB archive, so you must provide the required certificates and connection details directly in your Authorizer configuration.

  6. Open the extracted config.json file, and then find the host and cql_port values. In the next section, you’ll set these values in your Authorizer configuration.

  7. Create Base64-encoded strings from the extracted cert, ca.crt, and key files. You can output these strings to files or directly to the terminal.

    • Output to file

    • Output to terminal

    1. Change to the directory where you extracted the SCB.

    2. Run the following three commands:

      base64 cert cert_base64_file
      base64 ca.crt ca_base64_file
      base64 key key_base64_file

    3. Note the output path for each file. If necessary, move the files to a location that your Authorizer deployment can access.

    1. Change to the directory where you extracted the SCB.

    2. Run the following three commands:

      base64 cert
      base64 ca.crt
      base64 key

    3. Copy the Base64-encoded string produced by each command so you can use them in your Authorizer configuration in the next section.

Configure Authorizer

  1. If you haven’t done so already, deploy Authorizer.

  2. Set the Astra connection details in your deployment’s environment variables.

    Your deployment type determines how you set these environment variables. For example, binaries use a .env file, and Kubernetes deployments use an authorizer.yml file.

    DATABASE_HOST="HOST"
DATABASE_TYPE="cassandradb"
DATABASE_PORT=PORT
DATABASE_USERNAME="token"
DATABASE_PASSWORD="APPLICATION_TOKEN"
DATABASE_CERT="STRING_OR_PATH"
DATABASE_CERT_KEY="STRING_OR_PATH"
DATABASE_CA_CERT="STRING_OR_PATH"

    Replace the following placeholders with the values you gathered in Create keyspace and get credentials:

    • HOST: Provide the host value from the config.json file in your SCB, such as DB_ID-REGION.db.astra.datastax.com. For multi-region databases, include the region suffix, such as DB_ID-REGION-REGION-SUFFIX.db.astra.datastax.com. For custom domains, the host is based on your custom domain.

    • PORT: Provide the cql_port value from the config.json file in your SCB, such as 29042.

    • APPLICATION_TOKEN: Provide your Astra application token. In a production environment, use a secure reference to the token; don’t provide the token directly in the .env file.

    • STRING_OR_PATH: Provide the Base64-encoded string or the path to the file that contains the Base64-encoded string for each of the three certificate files from your SCB.

  3. Start or restart your Authorizer instance to apply the configuration changes.

Troubleshoot the Authorizer integration

You can use cqlsh to check that the Authorizer tables are present in Astra:

DESCRIBE KEYSPACE authorizer;

If the tables aren’t present, try the following:

  • Make sure the keyspace name is authorizer.

  • Restart your Authorizer instance.

  • Generate some activity in your Authorizer instance to prompt Authorizer to interact with the database.

  • Check your Authorizer configuration and Authorizer logs for possible errors.

  • Make sure the Astra application token has a role that can read and write to the database.

  • If you set the DATABASE_HOST to DB_ID-REGION.db.astra.datastax.com, add the region suffix, even if the database is deployed to only one region. For example, add -1 for the primary region or a single-region database: DB_ID-REGION-1.db.astra.datastax.com.

  • If your Authorizer deployment isn’t colocated with your Astra database, try to reduce latency. For example, you can move or replicate your Authorizer instance, create a database in a closer region, or deploy a multi-region database.

Was this helpful?

Give Feedback

How can we improve the documentation?

© 2025 DataStax, an IBM Company | Privacy policy | Terms of use | Manage Privacy Choices

Apache, Apache Cassandra, Cassandra, Apache Tomcat, Tomcat, Apache Lucene, Apache Solr, Apache Hadoop, Hadoop, Apache Pulsar, Pulsar, Apache Spark, Spark, Apache TinkerPop, TinkerPop, Apache Kafka and Kafka are either registered trademarks or trademarks of the Apache Software Foundation or its subsidiaries in Canada, the United States and/or other countries. Kubernetes is the registered trademark of the Linux Foundation.

General Inquiries: +1 (650) 389-6000, info@datastax.com