OneLogin Python SDK

3.2.5 verified Mon Apr 27 auth: no python

Official Python SDK for the OneLogin API (v1 and v2). Supports OAuth2 authentication, user and role management, event and factor APIs, and SAML assertion handling. Current version 3.2.5, requires Python >=3.10. Active development with quarterly releases.

pip install onelogin

Common errors

error AttributeError: 'OneLoginClient' object has no attribute 'get_users' ↓

cause Importing from the wrong module or using an outdated import pattern.

fix

Use the correct import: from onelogin.api.client import OneLoginClient

error OneLogin.api.OneLoginException: Error: 401 - Unauthorized ↓

cause OAuth2 token expired or invalid client credentials.

fix

Re-authenticate: client.authenticate() or refresh token with client.refresh_token()

error TypeError: __init__() got multiple values for argument 'client_id' ↓

cause Passing positional arguments in wrong order (v3 changed constructor signature).

fix

Use keyword arguments: OneLoginClient(client_id=..., client_secret=..., region='us')

error pydantic_core._pydantic_core.ValidationError: 1 validation error for User manager_user_id Input should be a valid integer ↓

cause The manager_user_id field is now a string in v3.2.1+ but the backend may return an integer.

fix

Upgrade to onelogin>=3.2.1 which fixed the type, or ensure manager_user_id is passed as a string.

Warnings

breaking In v3.x, the constructor changed from (region, client_id, client_secret) to (client_id, client_secret, region). Passing positional arguments in the old order will swap credentials. ↓

fix Use keyword arguments: OneLoginClient(client_id=..., client_secret=..., region='us')

deprecated Methods like create_user() are deprecated in favor of create_user2(). The v2 endpoints return different response structures. ↓

fix Use create_user2() and handle the User model returned.

gotcha The library uses Pydantic v2 for data models. Direct dictionary access on responses may fail if you expected simple dicts. ↓

fix Access attributes via dot notation (e.g., user.email) rather than user['email'].

gotcha OAuth2 access tokens expire after 3600 seconds. The client does not auto-refresh – you must call client.refresh_token() or re-authenticate. ↓

fix Wrap API calls with token expiry check or call authenticate() before each batch.

breaking In v2.0.0, the SDK was rewritten to support both API /1 and /2. Old v1 SDK scripts (pre-2.0) are not compatible. ↓

fix Migrate to the new client and use v2 endpoints where possible.

Imports

OneLoginClient

wrong

from onelogin import OneLoginClient

correct

from onelogin.api.client import OneLoginClient

Client is in the api submodule, not top-level

ApiClient

wrong

from onelogin.api_client import ApiClient

correct

from onelogin.api.api_client import ApiClient

ApiClient is inside a package named api_client

AuthClient

wrong

from onelogin.auth_client import AuthClient

correct

from onelogin.api.auth_client import AuthClient

AuthClient lives under onelogin.api

Quickstart

Initialize the OneLogin client and fetch a list of users.

import os
from onelogin.api.client import OneLoginClient

client = OneLoginClient(
    client_id=os.environ.get('ONELOGIN_CLIENT_ID', ''),
    client_secret=os.environ.get('ONELOGIN_CLIENT_SECRET', ''),
    region='us'
)
# Fetch users
users = client.get_users()
print(f"Fetched {len(users)} users")