copyright | lastupdated | keywords | subcollection | ||
---|---|---|---|---|---|
|
2019-01-30 |
IBM Cloud service APIs, IAM token, API key, authenticate with service API |
iam |
{:shortdesc: .shortdesc} {:codeblock: .codeblock} {:screen: .screen} {:new_window: target="_blank"} {:tip: .tip}
{: #iamapikeysforservices}
To invoke an {{site.data.keyword.Bluemix}} service through an API, pass your credentials to the service's API to authenticate your user identity and your access to perform actions within the context of the service. {:shortdesc}
You can identify the caller in one of the following ways:
- {{site.data.keyword.Bluemix_notm}} API key or service ID API key
- {{site.data.keyword.Bluemix_notm}} Identity and Access Management (IAM) token
{{site.data.keyword.Bluemix_notm}} API keys, service ID API keys, and IAM tokens uniquely identify the caller’s identity. The caller identity is either an {{site.data.keyword.Bluemix_notm}} user or a service ID that was created in an {{site.data.keyword.Bluemix_notm}} account.
The API keys are credentials that consist of a long series of random characters or numbers. An {{site.data.keyword.Bluemix_notm}} identity can have multiple API keys. Each of these API keys can be managed independently, meaning if this API key is used by your service only, you can delete the API key without disrupting some other component.
You can use API keys to log in to the {{site.data.keyword.Bluemix_notm}} command-line interface (CLI) or to generate IAM tokens. While it is not recommended for production use, you can also send API keys to {{site.data.keyword.Bluemix_notm}} services.
{: #apikey_auth}
API clients can directly pass an {{site.data.keyword.Bluemix_notm}} API key to the target service’s API. To do so, send the apikey
keyword as the user name and the {{site.data.keyword.Bluemix_notm}} API key as the password by using basic authorization HTTP header to the target service.
The target service API must introspect the {{site.data.keyword.Bluemix_notm}} API key by using the {{site.data.keyword.Bluemix_notm}} IAM service. The following graphic shows three API interactions. The {{site.data.keyword.Bluemix_notm}} API key is passed to every target service’s API, so each target service must look up the {{site.data.keyword.Bluemix_notm}} API key details by invoking {{site.data.keyword.Bluemix_notm}} IAM.
Using an {{site.data.keyword.Bluemix_notm}} API key is convenient, and it makes it easy to discover new APIs and quickly try out prototypes. This method requires you to send the {{site.data.keyword.Bluemix_notm}} API key to the target service‘s API in a readable format, which unnecessarily compromises the API key. Additionally, as the target service’s API must always introspect the API key, this method is less performant and therefore not recommended for production work loads.
To authenticate with a service's API by using an API key, complete the following steps:
- First, create an {{site.data.keyword.Bluemix_notm}} API key if you have not already.
- Send the {{site.data.keyword.Bluemix_notm}} API key as defined in RFC 7617{: new_window} as HTTP header “Authorization”. Use
apikey
as the user name, and the API key value as the password.
As an example, the following steps assume that the API key is 0a1A2b3B4c5C6d7D8e9E:
- Concatenate the user name
apikey
and the API key separated by a colon:apikey:0a1A2b3B4c5C6d7D8e9E
- Base64 encode the string:
base64("apikey:0a1A2b3B4c5C6d7D8e9E") => YXBpa2V5OjBhMUEyYjNCNGM1QzZkN0Q4ZTlF
- Set the HTTP header Authorization with schema Basic, for example
Authorization: Basic YXBpa2V5OjBhMUEyYjNCNGM1QzZkN0Q4ZTlF
. When you use the curl command, you can pass this with the parameter -u:
```
curl -u "apikey:<IBM Cloud API key value>"
```
If you use other tools, you might have to specify these credentials differently. {: tip}
{: #token_auth}
To retrieve an IAM access token, the API client must first invoke an {{site.data.keyword.Bluemix_notm}} IAM API to authenticate and retrieve that token. The preferred way for {{site.data.keyword.Bluemix_notm}} service API clients is to use an IAM API key to get an IAM access token. The IAM access token can be used for multiple invocations of {{site.data.keyword.Bluemix_notm}} services that accept IAM access tokens as an authentication method. As IAM access tokens are digitally signed with asymmetric keys, {{site.data.keyword.Bluemix_notm}} services can validate an IAM access token without invoking any external service. This dramatically improves the performance of invoking an API.
To authenticate with a service's API by using an access token, complete the following steps:
- First, create an {{site.data.keyword.Bluemix_notm}} API key if you have not already.
- The next step for the API client is the retrieval of an IAM access token, as described in Getting an IAM token from an API key.
- From the response, extract the property
access_token
to get the IAM access token.expires_in
indicates the seconds until the IAM access tokenaccess_token
expires. Either use this relative value or the absolute time stampexpiration
based in UNIX time{: new_window} . - Send the IAM access token as described in RFC 6750, section 2.1. Authorization Request Header Field{: new_window} :
Review the following example:
- Use the HTTP header Authorization
- Prefix the IAM access token with the literal
Bearer: Bearer eyJhbGciOiJSUzI1Ng...
- Add the prefixed IAM access token to the HTTP header:
Authorization: Bearer eyJhbGciOiJSUzI1Ng...
. When you use the curl command, you can pass this with the parameter -H:
```
curl -H "Authorization: Bearer eyJhbGciOiJSUzI1Ng..."
```
Use the same IAM access token for subsequent IBM Cloud service API calls to achieve the best performance and scalability. {: tip}