**Source URL:** https://limited.veevavault.dev/clinical/vault-api/api-reference/21.3/authentication/authentication-type-discovery.md

# Authentication Type Discovery



Discover the authentication type of a user. With this API, applications can dynamically adjust the login requirements per user, and support either username/password or OAuth2.0 / OpenID Connect authentication schemes.

<Endpoint path="https://login.veevavault.com/auth/discovery" method="POST"></Endpoint>

## Headers {#headers}

<FieldTable>
| Name | Description |
| --- | --- |
| `Accept` | `application/json` (default) |
</FieldTable>

## Query Parameters {#query-parameters}

<FieldTable>
| Name | Description |
| --- | --- |
| `username` | The user’s Vault user name. |
| `client_id` | Optional: The user's mapped Authorization Server `client_id`. This only applies the SSO and OAuth / OpenID Connect Profiles `auth_type`. Learn more about [Client ID in the REST API Documentation](/vault-api/references/client-id). |
</FieldTable>

## Request {#request}

<CodeExample title="">
```
curl -X POST \
-H "Accept: application/json" \
https://login.veevavault.com/auth/discovery?username=olivia@veepharm.com&client_id=veepharm-clinical-it-client-int0

```
</CodeExample>

## Response : Password User {#response--password-user}

<CodeExample title="">
```
{
    "responseStatus": "SUCCESS",
    "errors": [],
    "data": {
        "auth_type": "password"
    }
}

```
</CodeExample>

## Response : SSO User {#response--sso-user}

<CodeExample title="">
```
{
    "responseStatus": "SUCCESS",
    "data": {
        "auth_type": "sso",
        "auth_profiles": [
            {
                "id": "_9ad0a091-cbd6-4z59-ab5a-d4f35789918c",
                "label": "VeePharm",
                "description": "",
                "vault_session_endpoint": "https://veepharm.com/auth/oauth/session/_9ad0a091-cbd6-4z59-ab5a-d4f35789918c",
                "use_adal": false,
                "as_client_id":"34524523452345234523452345098098234",
                "as_metadata": {
                    "issuer": "https://veevaintrospection.com/oauth2/asdf123",
                    "authorization_endpoint": "https://veevintrospection.com/oauth2/asdf123/v1/authorize",
                    "token_endpoint": "https://veevaintrospection.com/oauth2/asdf123/v1/token",
                    "registration_endpoint": "https://veevaintrospection.com/oauth2/v1/clients",
                    "jwks_uri": "https://veevaintrospection.com/oauth2/asdf123/v1/keys",
                    "response_types_supported": [
                        "code",
                        "token",
                        "code token"
                    ],
                    "response_modes_supported": [
                        "query"
                    ],
                    "introspection_endpoint": "https://veevatintrospection.com/oauth2/asdf1234/v1/introspect",
                    "introspection_endpoint_auth_methods_supported": [
                        "client_secret_basic",
                    ],
                    "revocation_endpoint": "https://veevaintrospection.com/oauth2/asdf123/v1/revoke",
                    "revocation_endpoint_auth_methods_supported": [
                        "client_secret_basic",
                    ],
                    "end_session_endpoint": "https://veevaintrospection.com/oauth2/asdf123/v1/logout"
                }
            }
        ]
    }
}

```
</CodeExample>

## Response Details {#response-details}

The response specifies the user’s authentication type (`auth_type`):

* `password`: The user is configured with a username and password.

* `sso`: The user is configured with an SSO Security Policy.

If the user’s authentication type is `sso`, the response specifies the user’s authentication profiles (`auth_profiles`). If the user’s Security Policy is associated with:

* An OAuth 2.0 / OpenID Connect profile, the response will also contain the Authentication Server metadata (`as_metadata`).

* A SAML profile, the `auth_profiles` array will be empty.

If the Authorization Server Provider is set to use ADFS or Azure AD, the `use_adal` field will appear in the response as `true`. If the Authorization Server Provider is set to anything else, this field is `false`.

The `oauthProviderType` value depends on the configured auth provider type. Starting with v20.3, the ADFS / Azure AD option is split into two: ADFS and Azure AD. ADFS exposes the value as `ADFS`, while Azure AD exposes the value as `Azure`. Learn about [Configuring OAuth 2.0 / OpenID Connect Profiles](https://platform.veevavault.help/en/lr/43329) in Vault Help.

If the user provides a `client_id` and Client Application client ID mapping is defined on the OAuth 2.0 / OpenID Connect profile, the `as_client_id` field will appear in the response with the Authorization Server client ID value. If there is no defined mapping for the specified `client_id`, Vault will not include the `as_client_id` field in the response. Learn about [Client ID Mapping](https://platform.veevavault.help/en/lr/43329) in Vault Help.



---

**Previous:** [Retrieve API Versions](/clinical/vault-api/api-reference/21.3/authentication/retrieve-api-versions)  
**Next:** [Session Keep Alive](/clinical/vault-api/api-reference/21.3/authentication/session-keep-alive)