Calling secured RESTful APIs

To call a RESTful API that is secured with an API key, or an access token, such as an OAuth 2.0 token or a JSON Web Token (JWT), you might need to specify security parameters in your CICS®, IMS, or other z/OS® application.

zosConnect-2.0 Applies to zosConnect-2.0.

Started task Applies to z/OS Connect Servers run by using a z/OS started task procedure.

Pre-requisites: Follow the instructions in Developing z/OS applications to call APIs to learn about how to call a RESTful API from a z/OS application.

API keys

To call a RESTful API that is secured with an API key, the API key definition can be provided either in the API Swagger file or in a z/OS Connect build toolkit properties file. In either case, the build toolkit generates API key parameters in the request data structure, which must be populated by your CICS, IMS, or other z/OS application.

For more information about how API key authentication works with the IBM® z/OS Connect, see API requester calling an API secured with an API key. For more information about configuring an API key, see How to configure an API key.

Access tokens

When obtaining an access token from an authorization server using an OAuth 2.0 compliant request, as described in Calling an OAuth 2.0 authorization server (zosConnect-2.0), some configuration parameters can be specified in your application, see zosconnect_oAuthConfig access token-related parameters.

When obtaining an access token, such as a JWT, from an authentication server using a request that is not OAuth 2.0 compliant, as described in Calling an authentication server (zosConnect-2.0), some configuration parameters can be specified in your application, see zosconnect_authToken access token related parameters.

When z/OS Connect is used to generate a JWT, as described in Generating a JWT within IBM z/OS Connect, there are no security parameters to set in your application, all the configuration is in server.xml.