/
Schema Registry Authentication in Kafka with SnapLogic

Schema Registry Authentication in Kafka with SnapLogic

This page is no longer maintained (Nov 12, 2025). For the most current information, go to https://docs.snaplogic.com/snaps/snaps-data/sp-kafka/schema-registry-authentication.html.

Overview

Schema Registry Authentication in Kafka is a security mechanism that controls access to the Schema Registry, which stores and manages schemas for Kafka messages, particularly when using schema-dependent formats like Avro. It is a separate authentication layer within the Kafka OAuth2 account. When working with Kafka in SnapLogic, you can configure Schema Registry Authentication through the Kafka SSL Account and Kafka OAuth2 Account.

Kafka OAuth2 Account
├── Main Kafka Authentication (OAuth2): Authenticates with the Kafka cluster using Client ID and Secret.
└── Schema Registry Authentication (Additional Layer): Authenticates with the Schema Registry using Schema Registry Client ID and Secret. If either the Schema Registry Client ID or Secret is empty, then it uses the main Kafka credentials. Similarly, a Schema Registry Token endpoint can be specified; if left empty, the main Token endpoint is used.

OAuth2 endpoint provides access tokens for both layers.

Key authentication components

  • Registry Username or Key: The username or API key for authentication

  • Registry Password or Secret: The corresponding password or API secret

  • Schema Registry URL: The endpoint URL for your schema registry service

For Confluent Cloud:

  • Use the API Key from Confluent Control Center as the Registry Username/Key

  • Use the API Secret as the Registry Password/Secret

The Kafka Producer Snap uses standard naming conventions for schemas:

  • Key schema: topic-key (example: "order-key")

  • Value schema: topic-value (example: "order-value")

When is Schema Registry authentication required?

  • When working with schema-dependent serializers such as:

    • Avro format

    • JSON_SR (JSON with Schema Registry)

Schema Registry configuration scenarios

Scenario 1

When you provide a Schema registry URL, the Kafka OAuth2 account uses the Kafka broker credentials to authenticate to the Schema Registry. This is a valid configuration; however, for the Schema Registry authentication, you must configure Client ID, Client secret, and OAuth2 token endpoint fields.

If you do not provide any values in the Schema Registry Authentication field set, the OAuth2 Account uses Kafka broker credentials to authenticate to the Schema Registry.

scenario1-schema-registry-config.png

Scenario 2

If the Registry cluster ID and Identity pool ID are empty, the account validates successfully. These fields are only required in the Confluent Cloud environment.

scenario2-schema-registry-config.png

Scenario 3

The authentication fields in the Schema Registry field set override broker values, so the following image shows a different Client ID and Client secret in the Schema Registry field set, but the OAuth2 token endpoint is empty. In this case, the Schema Registry uses the OAuth2 token endpoint defined in the broker section, which is required.

scenario3-schema-registry-config.png

 

Have feedback? Email documentation@snaplogic.com | Ask a question in the SnapLogic Community
© 2017-2025 SnapLogic, Inc.