Creating authentication tokens

Data and metadata service APIs use a JSON Web Token (JWT) for authentication and authorization. When you call an API by using the HTTP Authorization request header, you must supply an unexpired token that has the proper scope and that is signed by an approved JSON Web Key (JWK).

Before you begin

  1. Find the account, organization, and client IDs.

    1. Log in to Intelligence suite.

    2. Select the organization and account that you are using.

    3. Open the Information page.

      A list of account, organization, and client IDs that you need to access the API services is displayed.

      Note: Client ID is prefixed with the service name.

      In the following client ID example, saascore is a service, so the ID is prefixed with saascore.

      saascore-xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
    4. Make a note of all the IDs.
  2. Get an API key. You need to generate the API key only once to generate the identity and access management (IAM) token, and this key does not expire after it is created.
    1. Log in to IBM Cloud®.
    2. From the menu bar, select Manage > Access (IAM).
    3. From the side navigation menu, in the Manage identities section, click API keys.
    4. To create the IBM Cloud API key, click Create and add a name and description.
    5. Click Create.
    6. Copy the API key or click Download to save it.

Procedure

  1. Generate a token.
    1. To create an IAM token, send the POST API request as shown in the following cURL example.
      Make sure that you replace <<YOUR_IAM_APIKEY>> with your key in the request. 
      curl --location --request POST 'https://iam.cloud.ibm.com/identity/token' \
--data-urlencode 'grant_type=urn:ibm:params:oauth:grant-type:apikey' \
--data-urlencode 'apikey=<<YOUR_IAM_APIKEY>>'
      This request returns an IAM token. Make a note of the IAM token.
    2. Generate a JWT token.
      In the following cURL example, the IAM token is used to generate a JWT token to access saascore service.
      Make sure that you replace <<YOUR_ORGID>>,<<CLIENT_ID>>, and <<YOUR_IAM_TOKEN>> with your organization ID, client ID, and IAM token in the request.
      curl --location --request GET 'https://api.ibm.com/saascore/run/authentication-retrieve?orgId=<<YOUR_ORGID>>\
--header 'X-IBM-Client-Id: saascore-<<CLIENT_ID>>' \
--header 'Authorization: Bearer <<YOUR_IAM_TOKEN>>'
      The result of this call is a JWT token. Save the JWT token for subsequent API calls. JWT tokens typically expire after about 60 minutes after which you need to fetch a new token.
  2. Authenticate your account.

    In the following cURL example, the JWT token is used to authenticate your account.

    curl --location --request <GET/POST> '<INSERT_API_ENDPOINT_HERE>' \
 --header 'x-ibm-client-Id: <service-prefix>-<INSERT_YOUR_CLIENT_ID_HERE>' \
 --header 'Accept: application/json' \
 --header 'Authorization: Bearer <INSERT_YOUR_JWT_HERE> \