Generating a bearer token

In scenarios where you cannot use ZenApiKey authorization tokens, you can generate a bearer token using your IBM Cloud Pak for Data credentials. You can use the bearer token to authenticate to IBM Cloud Pak for Data APIs and access IBM Cloud Pak for Data endpoints.

About this task

Tokens and API keys are subject to authorization checks. Invocation of API endpoints depends on the role and permissions that you are granted on the platform and in services.

Important: A cluster administrator must first generate an API key before you can use it to generate a bearer token. A cluster administrator can generate an API key by using the IBM Cloud Pak for Data web client. For more information, see Generating API keys for authentication.

Procedure

  1. Call the API by using one of the following cURL commands. Choose the command that uses the credentials you want to authenticate with.
    • Authenticate with an API key:
      curl -k -X POST \
    "https://<instance_route>/icp4d-api/v1/authorize" \
    -H "Content-Type: application/json" \
    -d "{
      "username":<username>,
      "api_key":<api_key>
}"
    • Authenticate with a username and password:
      curl -k -X POST \
    "https://<instance_route>/icp4d-api/v1/authorize" \
    -H "Content-Type: application/json" \
    -d "{
        "username": <username>,
        "password": <password>
}"
    • Authenticate with a password and also validate a self-signed certificate:
      curl -X POST \
    "https://<instance_route>/icp4d-api/v1/authorize" \
    --cacert /<path_to_root-ca>.crt
    -H "Content-Type: application/json" \
    -d "{
        "username": <username>,
        "password": <password>
}"

      If the certificate is signed by a proper root certification authority (CA), then neither the -k nor --cacert parameter are needed because the curl already knows of the root CA.

    Replace <instance_route> with the details for the service instance. Replace <username>, <password>, and <api_key> with your IBM Cloud Pak for Data credentials. If you use a self-signed certificate, then replace <path_to_root-ca> as well.

This command returns a response that contains the bearer token.
{
    "_messageCode_": "200",
    "message": "Success",
    "accessToken": "<bearer-token>"
}

For more information about the /icp4d-api/v1/authorize endpoints, see Get authorization token in the IBM® Software Hub Platform API.

What to do next

Use the bearer token that you generated in the authorization header of subsequent API calls.

curl -H "Authorization: Bearer <token>" "https://<platform_instance_route>/<endpoint>"