Generating an authorization token

Generate an authorization token to authenticate to Cloud Pak for Data and use its APIs.

The token is subject to authorization checks. Invocation of API endpoints depend on the role and permissions that you have been granted in the Cloud Pak for Data platform and services.

Before you begin

Make sure you have the Create service instances permission in Cloud Pak for Data.

Procedure

Use one of the following three methods to generate an authorization token:
  • Getting an access token by using your API key (preferred)

    See Generating API keys for authentication. This method is preferred because you can bypass the need to store your passwords in scripts and applications. You can also use this method when SAML 2.0 is configured as a Web SSO.

  • Getting an access token when LDAP is enabled

    If Identity and Access Management (IAM) is not enabled, you can generate a token by using your username and password against the /icp4d-api/v1/authorize endpoint.

    Endpoint
    /icp4d-api/v1/authorize
    Method
    POST
    Command syntax

    Replace <hostname>, <username>, and <password> with the correct values for your environment.

    curl -X POST \
  'https://<hostname>/icp4d-api/v1/authorize'\
  -H 'Content-Type: application/json' \
  -d' {
    "username":<username>,
    "password":<password>
}'

    This command returns a response that contains the access token.

    Sample response
    {
    "_messageCode_": "200",
    "message": "Success",
    "token": "<authorization-token>"
}

    The authorization token is used in subsequent API calls.

    More information
    See also Get authorization token in the Cloud Pak for Data Platform API.

  • Getting an access token when IAM is enabled

    If IAM is enabled, you can generate a token by using your username and password against the /idprovider/v1/auth/identitytoken endpoint. Follow these steps, replacing the <variables> with the correct values for your environment:

    1. Get your IAM access token with the following cURL command: 
      curl -k -X POST -H "Content-Type: application/x-www-form-urlencoded;charset=UTF-8" \
-d "grant_type=password&username=<username>&password=<password>&scope=openid" \
https://<common-services-route>/idprovider/v1/auth/identitytoken
      Where:
      • <username> is your username.
      • <password> is your password.
      • <common-services-route> is the route to access IBM Cloud Pak® foundational services.

      This command returns an access_token, refresh_token, and id_token. The value that is assigned to access_token is what you need to obtain a platform UI access token in the next step.

    2. Get your platform UI access token by running the following cURL command:
      curl -k X GET 'https://<cpd-route>/v1/preauth/validateAuth' \
-H 'username: <username>' \
-H 'iam-token: <iam-token>'
      Where:
      • <cpd-route> is the route to the Cloud Pak for Data web client. By default, this URL is https://cpd-<namespace>.apps.<OCP-default-domain>.
      • <username> is your username.
      • <iam-token> is the IAM access token that you obtained from the response in the previous step.
      The cURL response can resemble the following sample:
      {

"_messageCode_": "200",
"message": "Success",
"token": "<encoded-token-string>"
}

      In this example, <encoded-token-string> is your platform UI access token.

What to do next

Use the generated authorization token in the authorization header of subsequent API calls.