.svg){kind=logo}
API Authorization
Authentication Requirements
To ensure secure access to our API, all endpoints require authorization through a Bearer Token or a Personal Access Token (PAT)
Bearer Token
Include the following headers in your HTTP requests to authenticate:
Authorization: Bearer {{Token}}
Here’s an example command using cURL:
curl -X GET \
-H "Authorization: Bearer {{Token}}" \
https://example.com/api/your-endpoint
Replace {{Token}} with the actual Bearer token obtained through the authentication process.
Ensure the token is included in the Authorization header for every request, to successfully authenticate and access the API endpoints.
Keep your tokens secure and never expose them in public repositories or insecure environments.
Personal Access Token
To create a Personal Access Token please read the Access Management Tab | Personal Tokens guide.
Using a PAT has some limitations
90 days password reset policy applies
PAT is supported only by the below services:
-
Metrics-API
-
Exports-API
-
miniApps spring-API
-
Testing Studio
-
Orchestrator
-
NLU
-
Environments Manager
Using PAT will result to account deactivation if the account is not used for 90 days
Users must logging in through the OCP UI or through script within this period to avoid account deactivation.
Account deactivation means that a new PAT is required after re-activation
Authorization Token Endpoint
Overview
This section outlines the process of obtaining a Bearer authorization token from OCP’s IAM.
Please replace dynamic parts such as the base URL, username, and password with the appropriate values enclosed in double curly brackets (for example, {{Host}}, {{Username}}, {{Password}}).
Endpoint details
Hosts
|
Host |
URL |
|---|---|
|
EU1 |
|
|
CA1 |
|
|
FRANKFURT |
|
|
US1
|
|
|
US2 |
Obtaining an Access Token
To authenticate with the API, you first need to obtain an access token by making a request to the token endpoint as shown in the example below. The response will include both an access_token and a refresh_token.
HTTP Request
|
Environment |
Host Endpoint |
|---|---|
|
Swarm Environments
|
POST |
|
K8s Environments
|
POST |
Headers
|
Paramenter |
Value |
|---|---|
|
|
|
Body
|
Parameter |
Description |
Value |
|---|---|---|
|
|
The client ID |
ocp |
|
|
|
password |
|
|
The OCP Username |
{{Username}} |
|
|
The OCP Password |
{{Password}} |
Example Request
curl --location --request POST '{{Host}}/{{HostEndPoint}}' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'client_id=ocp' \
--data-urlencode 'grant_type=password' \
--data-urlencode 'username={{Username}}' \
--data-urlencode 'password={{Password}}'
Example Response
{
"access_token": "eyJhbGciOiJSUzI1NiIsInR5cCIgO...",
"expires_in": 300,
"refresh_expires_in": 1800,
"refresh_token": "eyJhbGciOiJIUzI1NiIsInR5cCIgO...",
"token_type": "bearer",
"not-before-policy": 0,
"session_state": "6d4e82a1-2d6d-402a-9d52-f3f99d7a477c",
"scope": "openid"
}
The access_token will be required in any later API request for authorization.
Error Responses
If there is an issue with the request, OCP’s IAM will respond with an appropriate error message. Common error responses include:
|
Response |
Reason |
|---|---|
|
|
The provided credentials (username/password) are incorrect. |
Session limit
Given the five-sessions limit in some environments, it is crucial to log out sessions when they are no longer needed.
Logging out helps to manage your sessions efficiently and stay within the session limit imposed by your environment.
You can log out by making a request to the logout endpoint using the refresh_token obtained earlier from the response of the token request.
Here is an example request:
curl -X POST "{{Host}}/auth/realms/master/protocol/openid-connect/logout" \
-H "Content-Type: application/x-www-form-urlencoded" \
-d "client_id=ocp" \
-d "refresh_token=$REFRESH_TOKEN"
Security Considerations
Ensure that the communication with the OCP’s IAM service is over HTTPS to secure the transmission of sensitive information.
Protect your username and password as sensitive information and avoid hardcoding them in your application code.
Implement secure storage and transmission practices for the obtained access token.