Skip to content

sasjs auth

sasjs auth provides authentication against a predefined SAS target. The following commands make use of authentication:

  • sasjs run
  • sasjs job execute
  • sasjs flow
  • sasjs request
  • sasjs deploy
  • sasjs test
  • sasjs folder

The sasjs auth command is an alias for sasjs add cred - and it is integrated also into the sasjs add command (for adding a new target).


Before using this command, you will need to:


sasjs auth [additional arguments]

Additional arguments may include:

  • --target (alias -t) - the target environment in which to deploy the services. If not specified, the defaultTarget will be used, as defined in sasjsconfig.json. The target can exist either in the local project configuration or in the global .sasjsrc file.


Targets can have local (to a project) or global (to a user) scope. For a local target, credentials are stored in a .env.[target name] file. To have one file that covers all (local) targets you can rename this file to .env.

All published SASjs projects (and templates) already include this file in the .gitignore file, if you are deploying to your own existing project you should do the same - to prevent accidentally pushing credentials to source control.

For global targets the credentials are stored in the .sasjsrc file in the users home directory.

Server Type

The authentication approach taken will depend on the serverType which can be SAS9 or SASVIYA.

SAS Viya Authentication

To authenticate with SAS Viya you will need an administrator to provide a CLIENT and SECRET with authorization_code grant type (SASjs does not support password authentication grant type). Further information on this topic is available here.

After you provide the client / secret, you are given a link which you must click to obtain the authorisation code. Be sure to select any scopes (such as openid) if presented.

Once you provide the authorisation code, the ACESS_TOKEN and REFRESH_TOKEN are saved and used for further connection requests. If the ACCESS_TOKEN expires (by default after 12 hours) the REFRESH_TOKEN will be used automatically to update, until it also expires (by default after 30 days). At this point, you will need to run sasjs auth once again.

SAS 9 Authentication

SAS 9 authentication requires a username and password. We strongly recommend the use of SAS encoded passwords (method=sas003 and above), however - to enable this you will first need to make a server side change (to the AllowEncodedPassword property) as follows:

  1. Log on to SAS® Management Console.
  2. Select Application Management.
  3. Navigate to Configuration Manager ► Stored Process Web App
  4. Select Properties ► Advanced (tab).
  5. Click the Add button and define a new property:
    • Property Name: AllowEncodedPassword
    • Property Value: true
  6. Click OK
  7. Restart the Mid Tier Web Server

If the password you provide is not sas-encoded, the command will still work, however you will get health warnings in the log.

SAS 9 Execution

SAS 9 operations require the use of a "runner" for executing the SAS code generated by the CLI. For security, this runner is always stored in your home directory in metadata.

To deploy the runner:

/* import the macros */
filename mc url "";
%inc mc;
/* create the runner */
filename ft15f001 temp;
%macro sasjs_runner();
%if %symexist(_webin_fileref) %then %do;
%inc &_webin_fileref;
%mend sasjs_runner;
  path=/User Folders/&sysuserid/My Folder/sasjs,