Authentication
Authenticate your requests to the Camunda Hub REST API.
The process
Generate a JSON Web Token (JWT), and include it in every request. If you already have a Web Modeler API v1 token, you can use the same token for this API.
Generate a token
- Add an M2M application in Management Identity.
- Grant this application access to the Web Modeler API with the necessary permissions. This authorization also adds the required
web-modeler-public-apiaudience to tokens issued for this application, so noaudienceparameter is needed in the token request. - Capture the
Client IDandClient Secretfrom the application in Management Identity. - Generate a token, providing the previously-captured values as the
client_idandclient_secret:A successful authentication response looks like this:curl --location --request POST 'http://localhost:18080/auth/realms/camunda-platform/protocol/openid-connect/token' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode "client_id=${CLIENT_ID}" \
--data-urlencode "client_secret=${CLIENT_SECRET}" \
--data-urlencode 'grant_type=client_credentials'{
"access_token": "<TOKEN>",
"expires_in": 300,
"refresh_expires_in": 0,
"token_type": "Bearer",
"not-before-policy": 0
} - Use the
access_tokenin the next step.
Authenticate with your token
Include the previously-captured token as an authorization header in every request: Authorization: Bearer <TOKEN>.
For example, send a request to the Camunda Hub API's /info endpoint:
curl --header "Authorization: Bearer ${TOKEN}" \
${CAMUNDA_HUB_REST_URL}/api/v2/info
In this example, ${CAMUNDA_HUB_REST_URL} represents the URL of the Camunda Hub API. You can configure this value in your Self-Managed installation. The default value is http://localhost:8088.
The Camunda Hub API validates both the token's audience and the application's permissions:
- A
401 Unauthorizedresponse means the token is missing theweb-modeler-public-apiaudience. This audience is added when the application is authorized for the Camunda Hub API (see step 2), so confirm that authorization is in place. - A
403 Forbiddenresponse means the application is missing the permissions required for the operation on the Camunda Hub API (for example,create,update, ordelete).
Token expiration
Access tokens expire according to the expires_in property of an authenticated response. After this duration, in seconds, you must request a new access token.