Has your application with the IBM Watson service suddenly stopped working without any changes to its configuration?

The application probably uses HTTP basic authentication with username and password credentials; this is also called as a Cloud Foundry service credential, and you likely see 401: Unauthorised Error in the application log:

401 Unauthorised

This blog post will outline how to resolve the issue and get your application up and running with the Watson service again.


Once you migrate a Watson service instance to move it from its current Cloud Foundry org and space to a resource group, your new instance manages authentication with Cloud Identity and Access Management (IAM). IAM is an enhanced mechanism that uses API keys instead of username and password. 

As a result, you need to change the application code, which authenticates to the Watson service with the IAM API key credential.

  1. Log in to IBM Cloud and open your Dashboard. 
  2. Select Services in the Resource summary section > your Watson service instance > Service Credentials
  3. Copy the API key in the Credentials section. 
  4. Check your application code that authenticates to the Watson service with username and password credentials and replace it with the API key you copied from Step 3.


The following Python code is using Basic Authentication to connect to the watsonx Assistant instance, and it may have failed with the 401 authentication error because the credential has deprecated.

from ibm_watson import AssistantV1 
from ibm_cloud_sdk_core.authenticators import BasicAuthenticator

username = 'd51a5b3c-fce3-4836-9d4c-e068a9e35379'
password = 'Pw0Oq3kydbzQ'

authenticator = BasicAuthenticator(username, password) 
assistant = AssistantV1( version='2018-08-01', authenticator=authenticator ) 

Note that the username of the old Cloud Foundry service credential is a string other than apikey in the above example. 

Replace the username with the word apikey and the password with the actual API key of the Watson service. 

Below, you’ll see the updated version of the example code:

username = 'apikey'
password = 'your-API-Key-goes-here'
authenticator = BasicAuthenticator(username, password) 
assistant = AssistantV1( version='2018-08-01', authenticator=authenticator ) 

Or, if you use a later version of Watson SDK to manage the IAM authentication, you can use the following code in this example:

from ibm_watson import AssistantV1 
from ibm_cloud_sdk_core.authenticators import IAMAuthenticator 

authenticator = IAMAuthenticator( 'your-API-Key-goes-here') 
assistant = AssistantV1( version='2019-08-01', authenticator=authenticator )

For different programming languages and Watson services, refer to the corresponding Watson SDK and API documents: 


Update your applications to take advantage of the improved security that Cloud Identity and Access Management (IAM) affords. After you update your apps to use the new API key approach, you won’t need the Cloud Foundry service alias and can delete it. The username and password credentials have recently been disabled, and applications must be updated to use the IAM authentication method.

For more details about the migration of your Cloud Foundry instance and the new IAM authentication, see the following: 


More from Cloud

IBM Tech Now: October 2, 2023

< 1 min read - ​Welcome IBM Tech Now, our video web series featuring the latest and greatest news and announcements in the world of technology. Make sure you subscribe to our YouTube channel to be notified every time a new IBM Tech Now video is published. IBM Tech Now: Episode 86 On this episode, we're covering the following topics: AI on IBM Z IBM Maximo Application Suite 8.11 IBM NS1 Connect Stay plugged in You can check out the IBM Blog Announcements for a…

IBM Cloud inactive identities: Ideas for automated processing

4 min read - Regular cleanup is part of all account administration and security best practices, not just for cloud environments. In our blog post on identifying inactive identities, we looked at the APIs offered by IBM Cloud Identity and Access Management (IAM) and how to utilize them to obtain details on IAM identities and API keys. Some readers provided feedback and asked on how to proceed and act on identified inactive identities. In response, we are going lay out possible steps to take.…

IBM Cloud VMware as a Service introduces multitenant as a new, cost-efficient consumption model

4 min read - Businesses often struggle with ongoing operational needs like monitoring, patching and maintenance of their VMware infrastructure or the added concerns over capacity management. At the same time, cost efficiency and control are very important. Not all workloads have identical needs and different business applications have variable requirements. For example, production applications and regulated workloads may require strong isolation, but development/testing, training environments, disaster recovery sites or other applications may have lower availability requirements or they can be ephemeral in nature,…

IBM accelerates enterprise AI for clients with new capabilities on IBM Z

5 min read - Today, we are excited to unveil a new suite of AI offerings for IBM Z that are designed to help clients improve business outcomes by speeding the implementation of enterprise AI on IBM Z across a wide variety of use cases and industries. We are bringing artificial intelligence (AI) to emerging use cases that our clients (like Swiss insurance provider La Mobilière) have begun exploring, such as enhancing the accuracy of insurance policy recommendations, increasing the accuracy and timeliness of…