# Authentication and Scopes

> All Solution commands require authentication through an **External Application** configured in Orchestrator. Unlike standalone project tasks, solutions do not support machine or interactive authentication methods.

All Solution commands require authentication through an **External Application** configured in Orchestrator. Unlike standalone project tasks, solutions do not support machine or interactive authentication methods.

## Authentication requirements

Solutions commands authenticate exclusively via **OAuth2 with External Apps**.

You must configure an External Application in Orchestrator Admin with the appropriate scopes before running any Solution CLI commands.

## Required OAuth scopes

Solutions use a dedicated set of application scopes that differ from standard Orchestrator scopes. Configure your External App with the following scopes for all Solution operations:

### Copy-paste format for CI/CD secrets

```
AutomationSolutions Solutions.Deployments Solutions.Deployments.Read Solutions.Deployments.Write Solutions.Packages Solutions.Packages.Read Solutions.Packages.Write
```

This single-line, space-separated format can be directly used in:
- Azure DevOps Variable Groups
- GitHub Repository Secrets
- Jenkins Credentials Store

**Note:** The following operations do not require authentication as they run locally:
- `restore` - Restores dependencies locally
- `analyze` - Validates projects locally
- `pack` - Creates packages locally

## Common authentication parameters

All Solution commands that interact with Orchestrator require these parameters. You can use either the short form or the long form (alternative) for each:

| Short form | Long form (alternative) | Description | Example |
|------------|--------------------------|-------------|---------|
| `-U` | N/A | Orchestrator URL | See [Orchestrator URL](#orchestrator-url) below |
| `-T` | N/A | Orchestrator tenant name | `DefaultTenant` |
| `-A` | `--accountForApp` | Organization (account) name | `myorg` |
| `-I` | `--applicationId` | External App ID | `12345678-xxxx-xxxx-xxxx-xxxxxxxxxxxx` |
| `-S` | `--applicationSecret` | External App secret | `****` (keep secure) |
| `--applicationScope` | N/A | Scope list (see above) | Above |
| `--traceLevel` | N/A | Logging level | `Information`, `Verbose`, `Warning` |

### Example with long-form parameters

```bash
uipcli solution upload-package ./packages/MySolution.1.0.0.zip \
  -U https://cloud.uipath.com/ \
  -T DefaultTenant \
  --accountForApp myorg \
  --applicationId 12345678-xxxx-xxxx-xxxx-xxxxxxxxxxxx \
  --applicationSecret **** \
  --applicationScope "AutomationSolutions Solutions.Packages Solutions.Packages.Write"
```

### Orchestrator URL

Use the base URL only for the Orchestrator instance. Do not include organization, tenant, or path segments (for example, do not use `https://cloud.uipath.com/myorg/DefaultTenant/orchestrator_`). Organization and tenant are passed separately with `-A` and `-T`.

- **UiPath Automation Cloud**: Use the cloud base URL (for example `https://cloud.uipath.com/` or `https://staging.uipath.com/`).
- **Automation Suite (on-premises or private cloud)**: Use the base URL of your Automation Suite instance (for example `https://uipath.yourcompany.com/`). The URL is the same as for package commands. Only the base address of your Orchestrator (or Automation Suite) differs from the public cloud.

:::note Default Application Scopes

When using external application authentication without specifying the `--applicationScope` parameter, the CLI automatically applies the required scopes for Solution commands.

:::

## Setting up an External Application

To create an External Application for Solutions:

1. Log in to **Orchestrator** as an Administrator.
2. Navigate to **Admin** → **External Applications**.
3. Click **Add Application**.
4. Provide a name (e.g., `CI-CD-Solutions`).
5. Select **Confidential application** as the Application Type.
6. Add the required scopes listed above.
7. Copy the **Application ID** and **Secret** and store them securely in your CI/CD secret manager.

For detailed instructions on configuring external applications, see [Managing external OAuth applications](https://docs.uipath.com/automation-cloud/automation-cloud/latest/admin-guide/managing-external-applications#adding-an-external-application).

## Using custom Orchestrator feeds

When using custom activity feeds from Orchestrator during restore operations, use these alternative parameters:

| Standard Parameter | Custom Feed Parameter |
|-------------------|----------------------|
| `--applicationScope` | `--libraryOrchestratorApplicationScope` |
| `-T` (tenant) | `--libraryOrchestratorTenant` |
| `-U` (URL) | `--libraryOrchestratorUrl` |
| (folder) | `--libraryOrchestratorFolder` |

### Example

```bash
uipcli solution restore <solution-path> \
  -A myorg \
  -I 12345678-xxxx-xxxx-xxxx-xxxxxxxxxxxx \
  -S **** \
  --libraryOrchestratorApplicationScope "OR.Folders OR.Settings.Read" \
  --libraryOrchestratorTenant DefaultTenant \
  --libraryOrchestratorUrl https://cloud.uipath.com/ \
  --libraryOrchestratorFolder MyFolder
```

## Security best practices

- Never hardcode secrets in pipeline YAML or scripts.
- Use your CI/CD platform's secret management:
  - Azure DevOps: Variable Groups with Secret variables.
  - GitHub Actions: Repository or Organization Secrets.
  - Jenkins: Credentials Store.
- Rotate External App secrets regularly.
- Use separate External Apps for different environments (Dev, Test, Prod).
- Apply least-privilege scopes - only grant what's needed for each pipeline.