Best authentication method for unattended cs_tools runs on ThoughtSpot Cloud?

[tam-ta-patties-com-au]

Hi,

I’m using cs_tools on Windows to extract ThoughtSpot metadata and BI Server usage on a daily schedule, then load the outputs into Snowflake for internal adoption / governance reporting. The business wants user attributes (e.g. Job title, Department etc) which exists in Snowflake/ThoughtSpot but ironically can't be joined to the worksheet "TS: BI Server"

Environment:

• ThoughtSpot Cloud
• cs_tools v1.6.6
• Windows / PowerShell
• Python 3.13
• auth supplied through environment variables and --config ENV:

My current ThoughtSpot values are stable:

• THOUGHTSPOT_URL=https://company.thoughtspot.cloud
• THOUGHTSPOT_USERNAME=dedicated_cstool_user

The unstable piece is auth:

• I can generate a bearer token via REST Playground / REST API
• it works initially
• later the same token returns 401 Unauthorized

From the CS Tools docs, I understand bearer token auth is expected to expire after validity_time_in_sec, so this seems to be working as designed rather than being a bug.

My question is: what is the recommended auth pattern for unattended scheduled cs_tools runs on ThoughtSpot Cloud?

Specifically:

1. Is the recommended production pattern for scheduled cs_tools automation:

   • username + password
   • trusted auth / secret_key
   • something else?

2. Does CS_TOOLS_THOUGHTSPOT__SECRET_KEY work reliably on ThoughtSpot Cloud for searchable metadata / searchable bi-server automation?

3. If the user is an SSO user, is the best practice to create a separate local/internal service account for cs_tools rather than relying on short-lived bearer tokens?

4. Is trusted authentication / secret key intended for this kind of back-end automation, or mainly for embedding flows?

5. If the only available option is bearer token, is there an accepted unattended refresh pattern for cs_tools, or is bearer token generally considered unsuitable for scheduled jobs?

Context:

• This is not an embedded analytics use case
• it is a back-end admin extraction job running daily from Windows Task Scheduler
• we want the most stable and least fragile authentication option
• we are also trying to keep privileges as narrow as possible

Any guidance on the most supportable approach for ThoughtSpot Cloud would be really helpful.
Thanks.
Tam

[DevinMcPherson-TS]

Yes, a service account (using local auth) is the most common method to authenticate with CS Tools. SSO users are not supported since the command line tools don't support SSO workflows. Trusted Auth Token is an option, but you can only set this if you have TSE enabled on your instance.

[tam-ta-patties-com-au]

Thanks Devin. I'm working with TS tech support to a service account (which is not allowed currently in our SSO config)