Authentication
All Web Modeler API requests require authentication. To authenticate, generate a JSON Web Token (JWT) depending on your environment and include it in each request.
Clients using a valid generated token have access to all resources within an organization, similar to super-user mode.
While there's no project-level access control enforced in the API, access is still dependent on the CRUD operations assigned.
Generate a token
- SaaS
- Self-Managed
- Create client credentials by clicking Console > Organization > Administration API > Create new credentials.
- Add permissions to this client for Web Modeler API with the needed CRUD permissions.
- Once you have created the client, capture the following values required to generate a token:
Name Environment variable name Default value Client ID CAMUNDA_CONSOLE_CLIENT_ID- Client Secret CAMUNDA_CONSOLE_CLIENT_SECRET- Authorization Server URL CAMUNDA_OAUTH_URLhttps://login.cloud.camunda.io/oauth/tokenAudience CAMUNDA_CONSOLE_OAUTH_AUDIENCEapi.cloud.camunda.iocautionWhen client credentials are created, the
Client Secretis only shown once. Save thisClient Secretsomewhere safe. - Execute an authentication request to the token issuer:
A successful authentication response looks like the following:
curl --request POST ${CAMUNDA_OAUTH_URL} \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'grant_type=client_credentials' \
--data-urlencode "audience=${CAMUNDA_CONSOLE_OAUTH_AUDIENCE}" \
--data-urlencode "client_id=${CAMUNDA_CONSOLE_CLIENT_ID}" \
--data-urlencode "client_secret=${CAMUNDA_CONSOLE_CLIENT_SECRET}"{
"access_token": "<TOKEN>",
"expires_in": 300,
"refresh_expires_in": 0,
"token_type": "Bearer",
"not-before-policy": 0
} - Capture the value of the
access_tokenproperty and store it as your token.
- Add an M2M application in Management Identity.
- Add permissions to this application for Web Modeler API with the needed CRUD permissions.
- Capture the
Client IDandClient Secretfrom the application in Management Identity. - Generate a token to access the Web Modeler REST API. Provide the
client_idandclient_secretfrom the values you previously captured in Management Identity.A successful authentication response looks like the following:curl --location --request POST 'http://localhost:18080/auth/realms/camunda-platform/protocol/openid-connect/token' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode "client_id=${CLIENT_ID}" \
--data-urlencode "client_secret=${CLIENT_SECRET}" \
--data-urlencode 'grant_type=client_credentials'{
"access_token": "<TOKEN>",
"expires_in": 300,
"refresh_expires_in": 0,
"token_type": "Bearer",
"not-before-policy": 0
} - Capture the value of the
access_tokenproperty and store it as your token.
Use a token
Include the previously captured token as an authorization header in each request: Authorization: Bearer <TOKEN>.
For example, to send a request to the Web Modeler API's /info endpoint:
- SaaS
- Self-Managed
curl --header "Authorization: Bearer ${TOKEN}" \
https://modeler.cloud.camunda.io/api/v1/info
The ${WEB_MODELER_REST_URL} variable below represents the URL of the Web Modeler API. You can configure this value in your Self-Managed installation. The default value is http://localhost:8070.
curl --header "Authorization: Bearer ${TOKEN}" \
${WEB_MODELER_REST_URL}/api/v1/info
A successful response includes information about the environment. For example:
{
"version": "v1",
"authorizedOrganization": "12345678-ABCD-DCBA-ABCD-123456789ABC",
"createPermission": true,
"readPermission": true,
"updatePermission": true,
"deletePermission": false
}
Organization-level access
API tokens are granted to organization-level applications (Self-Managed) or clients (SaaS) rather than individual users. With an API token, you can read, edit, and delete all workspaces (called "projects" before Camunda 8.10) and workspace resources in the organization, as long as the application or client has the required Web Modeler API permissions. This is true even if you aren't a member of the workspace and you can't see it in the Camunda Hub user interface.
Token expiration
Access tokens expire according to the expires_in property of a successful authentication response. After this duration, in seconds, you must request a new access token.