Generating an authorization token for the admin user

You can generate other API authorization tokens to authenticate instead of using ZenApiKey authorization tokens.

Who needs to complete this task?

A default platform administrator, either cpadmin or admin, can complete this task. You must have Red Hat® OpenShift® Container Platform access to complete this task. If you don't have access, work with your instance administrator.

Before you begin

You must generate a bearer token before you can use these tasks. For information about generating a bearer token, see Generating a bearer token.

About this task

Tokens and API keys are subject to authorization checks. Invocation of API endpoints depends on the role and permissions that you are granted on the platform and in services.

Procedure

You must use either the /v1/preauth/validateAuth endpoint or /v1/preauth/signin endpoint to generate an authorization token. The endpoint that you can use depends on whether the Identity Management Service is enabled or disabled.

The Identity Management Service is enabled by default. It can be disabled if you want to enable LDAP instead of the Identity Management Service.

Identity Management Service is enabled

You must use the /v1/preauth/validateAuth endpoint

Identity Management Service is disabled

You can use either of the following endpoints:

  • /v1/preauth/validateAuth endpoint.

    The /v1/preauth/validateAuth generates an authorization token that is not related to session. The payload has a token_id. This endpoint is more suitable when using API calls.

  • /v1/preauth/signin endpoint

    The /v1/preauth/signin simulates a user login through the user interface. It generates a session, and the token payload has a session-id.

Available endpoints

/v1/preauth/validateAuth endpoint

You can generate a token by using your username and password against the /v1/preauth/validateAuth endpoint. Replace the <variables> with the correct values for your environment.

Method
GET
Command syntax
curl -k -X GET \
    "https://<platform_instance_route>/v1/preauth/validateAuth" \
    -H "username: <username>" \
    -H "password: <password>"
Replace the following values.
  • <platform_instance_route> is the route to the IBM Cloud Pak for Data web client. By default, this URL is https://cpd-<namespace>.apps.<OCP-default-domain>.
  • <username> is your username.
  • <password> .
Sample response

The command returns a response that contains the authorization token:

{
    "_messageCode_": "200",
    "message": "Success",
    "accessToken": "<authorization-token>"
}
/v1/preauth/signin endpoint

You can generate a token by using your username and password against the /v1/preauth/signin endpoint.

Endpoint
/v1/preauth/signin
Method
POST
Command syntax
curl -X POST \
  'https://<platform_instance_route>/v1/preauth/validateAuth'\
  -H 'Content-Type: application/json' \
  -d' {
    "username":<username>,
    "password":<password>
}'
Replace the following values.
  • <platform_instance_route> is the route to the IBM Cloud Pak for Data web client. By default, this URL is https://cpd-<namespace>.apps.<OCP-default-domain>.
  • <username> is your username.
  • <password> .
Sample response

The command returns a response that contains the authorization token:

{
    "_messageCode_": "200",
    "message": "Success",
    "accessToken": "<authorization-token>"
}

The authorization token is used in subsequent API calls.

More information
See also Get authorization token in the IBM® Software Hub Platform API.

What to do next

Use the authentication token in the authorization header of subsequent API calls.

curl -H "Authorization: Bearer <token>" "https://<platform_instance_route>/<endpoint>"