Generating an authorization token or API key
Generate an authorization token or API key to authenticate to Cloud Pak for Data APIs.
Tokens and API keys are subject to authorization checks. Invocation of API endpoints depends on the role and permissions that you are granted in the Cloud Pak for Data platform and services.
You can use an API Key to generate a Bearer token, which can be used to authorize access to Cloud Pak for Data endpoints.
Or, you can use a username
and API key as a base64-encoded token with
ZenApiKey
authorization instead of using the Bearer token. This alternative
requires one API call to an endpoint.
ZenApiKey
authorization.ZenApiKey
authorization.
Procedure
Getting an API key (preferred).
See Generating API keys for authentication. You can use this method when SAML 2.0 is configured as a web SSO.
ZenApiKey
token by using the following command.
echo "<username>:<api_key>" | base64
Then,
you can use the ZenApiKey
to authenticate to an endpoint.
curl -H "Authorization: ZenApiKey <token>" "https://<cpd_instance_route>/<endpoint>"
ZenApiKey
authorization. You must use your API key to generate a Bearer token by
using the authorize
endpoint. - Endpoint
/icp4d-api/v1/authorize
- Method
POST
- Command syntax
-
Replace
<cpd_instance_route>
,<username>
, and<api_key>
with the correct values for your environment.curl -X POST \ 'https://<cpd_instance_route>/icp4d-api/v1/authorize'\ -H 'Content-Type: application/json' \ -d' { "username":<username>, "api_key":<api_key> }'
This command returns a response that contains the authorization token.
- Sample response
-
{ "_messageCode_": "200", "message": "Success", "token": "<authorization-token>" }
The authorization token is used in subsequent API calls.
- More information
- See also Get authorization token in the Cloud Pak for Data Platform API.
Getting an authorization token when LDAP is enabled.
validateAuth
endpoint. - Endpoint
/v1/preauth/signin
- Method
POST
- Command syntax
-
Replace
<cpd_instance_route>
,<username>
, and<password>
with the correct values for your environment.curl -X POST \ 'https://<cpd_instance_route>/v1/preauth/signin'\ -H 'Content-Type: application/json' \ -d' { "username":<username>, "password":<password> }'
This command returns a response that contains the authorization token.
- Sample response
-
{ "_messageCode_": "200", "message": "Success", "token": "<authorization-token>" }
The authorization token is used in subsequent API calls.
- More information
- See also Get authorization token in the Cloud Pak for Data Platform API.
Getting an authorization token when IAM is enabled.
/idprovider/v1/auth/identitytoken
endpoint. Follow these steps, replacing the
<variables> with the correct values for your environment.- Get your IAM access token with the following cURL
command.
curl -k -X POST -H "Content-Type: application/x-www-form-urlencoded;charset=UTF-8" \ -d "grant_type=password&username=<username>&password=<password>&scope=openid" \ https://<common-services-route>/idprovider/v1/auth/identitytoken
Replace the following values.<username>
is your username.<password>
is your password.<common-services-route>
is the route to access IBM Cloud Pak foundational services.
This command returns an
access_token
,refresh_token
, andid_token
. The value that is assigned toaccess_token
is what you need to obtain a platform UI access token in the next step. - Get your platform UI access token by running the following cURL
command.
curl -k -X GET 'https://<cpd_instance_route>/v1/preauth/validateAuth' \ -H 'username: <username>' \ -H 'iam-token: <access-token>'
Replace the following values.<cpd_instance_route>
is the route to the Cloud Pak for Data web client. By default, this URL ishttps://cpd-<namespace>.apps.<OCP-default-domain>
.<username>
is your username.<access-token>
is the IAM access token that you obtained from the response in the previous step.
The cURL response can resemble the following sample.{ "_messageCode_": "200", "message": "Success", "token": "<encoded-token-string>" }
In this example,
<encoded-token-string>
is your platform UI access token.
What to do next
curl -H "Authorization: ZenApiKey <token>" "https://<cpd_instance_route>/<endpoint>"
ZenApiKey
token is not supported, use a generated Bearer token in the
authorization header of subsequent API
calls.curl -H "Authorization: Bearer <token>" "https://<cpd_instance_route>/<endpoint>"