Skip to main content
Ollama supports flexible authentication depending on where and how you’re running models. Local access requires no authentication, while cloud features use secure token-based authentication.

Local API Access

No authentication is required when accessing Ollama’s API locally via http://localhost:11434. 
curl http://localhost:11434/api/generate -d '{
  "model": "gemma3",
  "prompt": "Hello, world!"
}'
Local access is unrestricted by default. If you need to secure your local Ollama instance, consider using a reverse proxy with authentication or firewall rules.

When Authentication is Required

Authentication is required for the following use cases:

Cloud Models

Running cloud-based models via ollama.com

Publishing Models

Pushing models to the Ollama registry

Private Models

Downloading private models from the registry

Remote Inference

Accessing ollama.com’s hosted inference API

Authentication Methods

Ollama supports two authentication methods: Sign in from your local Ollama installation, and authentication is handled automatically:
1

Sign in to Ollama

Run the signin command in your terminal:
ollama signin
You’ll be prompted to complete the authentication flow via your browser.
2

Use authenticated commands

Once signed in, Ollama automatically authenticates commands that require it:
ollama run gpt-oss:120b-cloud
3

API requests work automatically

Local API requests to cloud models are automatically authenticated:
curl http://localhost:11434/api/generate -d '{
  "model": "gpt-oss:120b-cloud",
  "prompt": "Why is the sky blue?"
}'
When you sign in, Ollama stores authentication credentials locally and automatically includes them in requests that need authentication.

Method 2: API Keys

For programmatic access to ollama.com’s API (https://ollama.com/api), use API keys for authentication.
1

Create an API key

Generate an API key from your Ollama settings page.
2

Set the environment variable

Export your API key as an environment variable:
export OLLAMA_API_KEY=your_api_key_here
3

Use in API requests

Include the API key in the Authorization header:
curl https://ollama.com/api/generate \
  -H "Authorization: Bearer $OLLAMA_API_KEY" \
  -d '{
    "model": "gpt-oss:120b",
    "prompt": "Why is the sky blue?",
    "stream": false
  }'

API Key Management

API keys provide full access to your Ollama account. Store them securely and never commit them to version control.
  • Expiration: API keys don’t currently expire automatically
  • Revocation: You can revoke keys at any time in your API keys settings
  • Multiple keys: Create multiple keys for different applications or environments

Authentication Flow Details

When using authenticated requests, Ollama implements a secure challenge-response authentication mechanism:
  1. Timestamp-based challenges: Each request includes a timestamp (ts) parameter to prevent replay attacks
  2. Signed tokens: Authentication tokens are cryptographically signed using your local credentials
  3. Automatic token refresh: The client handles token refresh transparently
The authentication implementation can be found in api/client.go and server/auth.go in the Ollama source code.

Error Handling

When authentication fails, you’ll receive a 401 Unauthorized response: 
{
  "error": "unauthorized",
  "signin_url": "https://ollama.com/connect?name=..."
}
The signin_url field provides a direct link to authenticate your installation.

Signing Out

To remove stored authentication credentials from your local installation: 
ollama signout
You can also disconnect specific devices from the API: 
DELETE /api/user/keys/{encodedKey}

Environment Variables

Ollama respects the following authentication-related environment variables:
VariableDescriptionDefault
OLLAMA_HOSTBase URL for API requestshttp://localhost:11434
OLLAMA_API_KEYAPI key for ollama.com authenticationNone

Best Practices

Use Environment Variables

Store API keys in environment variables, never in code

Rotate Keys Regularly

Periodically create new keys and revoke old ones

Use Signin for Local Dev

The ollama signin method is simpler for local development

Use API Keys for CI/CD

API keys are better for automated deployments and services

Next Steps

Client Libraries

Use Python or JavaScript libraries with built-in auth support

Generate Text

Start generating text with authenticated models

Error Handling

Learn how to handle authentication errors