Generating a bearer token

Generate a bearer token to authenticate to IBM watsonx APIs. Use this procedure if the API does not support ZenApiKey authorization tokens.

About this task

Tokens and API keys are subject to authorization checks. Invocation of API endpoints depends on the role and permissions that you are granted on the platform and in services.

You can use an API Key to generate a Bearer token, which can be used to authorize access to IBM watsonx endpoints.

Procedure

Use one of the following methods to generate an authorization token to authenticate to API endpoints.

Getting a Bearer token

Some APIs and APIs do not support ZenApiKey authorization.

You can generate an API key to get an API authorization token by using the IBM watsonx web client. For more information, see Generating API keys for authentication.

Use your API key to generate a Bearer token by using the authorize endpoint.

Endpoint
/icp4d-api/v1/authorize
Method
POST
Command syntax

Replace <instance_route>, <username>, and <api_key> with the correct values for your environment.

curl -X POST \
  'https://<instance_route>/icp4d-api/v1/authorize'\
  -H 'Content-Type: application/json' \
  -d' {
    "username":<username>,
    "api_key":<api_key>
}'

This command returns a response that contains the bearer token.

Sample response
{
    "_messageCode_": "200",
    "message": "Success",
    "token": "<bearer-token>"
}

The authorization token is used in subsequent API calls.

More information
See also Get authorization token in the IBM® Software Hub Platform API.
Getting an authorization token when the Identity Management Service is enabled

The Identity Management Service is enabled by default.

When Identity Management Service is enabled, you can generate a token by using your username and password against the /idprovider/v1/auth/identitytoken endpoint. Follow these steps, replacing the <variables> with the correct values for your environment.

  1. Use the following command to find the route to access IBM Cloud Pak foundational services. 
    oc get route cp-console -n ${PROJECT_CPD_INST_OPERANDS}

    This command returns the <common-services-route>. For example, https://cp-console-cpd-instance.apps.ivt487.cp.example.com.

  2. Get your IAM access token with the following cURL command.
    curl -k -X POST -H "Content-Type: application/x-www-form-urlencoded;charset=UTF-8" \
-d "grant_type=password&username=<username>&password=<password>&scope=openid" \
https://<common-services-route>/idprovider/v1/auth/identitytoken
    Replace the following values.
    • <username> is your username.
    • <password> is your password.
    • <common-services-route> is the route to access your cluster.

    This command returns an access_token, refresh_token, and id_token. The value that is assigned to access_token is what you need to obtain a platform UI access token in the next step.

  3. Get your platform UI access token by running the following cURL command.
    curl -k -X GET 'https://<platform_instance_route>/v1/preauth/validateAuth' \
-H 'username: <username>' \
-H 'iam-token: <access-token>'
    Replace the following values.
    • <platform_instance_route> is the route to the IBM watsonx web client. By default, this URL is https://cpd-<namespace>.apps.<OCP-default-domain>.
    • <username> is your username.
    • <access-token> is the IAM access token that you obtained from the response in step 2.
    The cURL response can resemble the following sample.
    {
    "_messageCode_": "200",
    "message": "Success",
    "token": "<authorization-token>"
}
Getting an authorization token when LDAP is enabled
If the Identity Management Service is not enabled, you can generate a token by using your username and password against the validateAuth endpoint.
Endpoint
/v1/preauth/signin
Method
POST
Command syntax

Replace <platform_instance_route>, <username>, and <password> with the correct values for your environment.

curl -X POST \
  'https://<platform_instance_route>/v1/preauth/signin'\
  -H 'Content-Type: application/json' \
  -d' {
    "username":<username>,
    "password":<password>
}'

This command returns a response that contains the authorization token.

Sample response
{
    "_messageCode_": "200",
    "message": "Success",
    "token": "<authorization-token>"
}

The authorization token is used in subsequent API calls.

More information
See also Get authorization token in the IBM Software Hub Platform API.

What to do next

If the ZenApiKey token is not supported, use a generated Bearer token in the authorization header of subsequent API calls.

curl -H "Authorization: Bearer <token>" "https://<platform_instance_route>/<endpoint>"