diff --git a/src/confluent_kafka/schema_registry/schema_registry_client.py b/src/confluent_kafka/schema_registry/schema_registry_client.py
index c414c7ee1..a4aadb11f 100644
--- a/src/confluent_kafka/schema_registry/schema_registry_client.py
+++ b/src/confluent_kafka/schema_registry/schema_registry_client.py
@@ -97,21 +97,28 @@ def __init__(self, conf):
" configuring ssl.key.location")
userinfo = utils.get_auth_from_url(base_url)
- if 'basic.auth.user.info' in conf_copy:
- if userinfo != ('', ''):
- raise ValueError("basic.auth.user.info configured with"
- " userinfo credentials in the URL."
- " Remove userinfo credentials from the url or"
- " remove basic.auth.user.info from the"
- " configuration")
-
+ url_basic_auth = userinfo != ('', '')
+ config_basic_auth = 'basic.auth.user.info' in conf_copy
+ config_bearer_auth = 'token' in conf_copy
+ if sum([url_basic_auth, config_basic_auth, config_bearer_auth]) > 1:
+ raise ValueError("credentials are specified more than once,"
+ " or multiple authentication mechanisms are configured."
+ " Please specify only one of the following options:"
+ " (1) user credentials on the url"
+ " (2) user credentials using 'basic.auth.user.info' configuration"
+ " (3) token using 'token' configuration.")
+
+ if url_basic_auth:
+ self.session.auth = userinfo
+ elif config_basic_auth:
userinfo = tuple(conf_copy.pop('basic.auth.user.info', '').split(':'))
-
if len(userinfo) != 2:
raise ValueError("basic.auth.user.info must be in the form"
" of {username}:{password}")
-
- self.session.auth = userinfo if userinfo != ('', '') else None
+ self.session.auth = userinfo
+ elif config_bearer_auth:
+ token = conf_copy.pop('token')
+ self.session.headers['Authorization'] = f'Bearer {token}'
# Any leftover keys are unknown to _RestClient
if len(conf_copy) > 0: