Authentication for the Cloud Administration APIs Authentication for the Cloud Administration APIs
Clients calling Administration Event Log API or User Event Log API must authenticate themselves by including a JSON Web Token (JWT). Each request must contain a valid JWT in an HTTP Authorization header, as shown in this example:
Authorization: Bearer <JWT token>
Obtaining the API KeyObtaining the API Key
The JWT is signed using an Administration API key. The Super Admin uses the Cloud Administration Console to generate the key, as described in Manage the Cloud Administration API Keys. Obtain this key from your Super Admin.
JSON Web Token (JWT)JSON Web Token (JWT)
The JWT consists of three parts:
- JWT header
- JWT claims
- JWT signature
JWT HeaderJWT Header
The type must be set to JWT and the RS256 algorithm must be used to sign the token. Other values are not supported and result in an HTTP 403 Authorization error.
JWT ClaimsJWT Claims
The following table lists standard JWT claims that must be present for authentication. All other claims are ignored.
|sub||Access ID value of Administration API key.|
|iat||The time when the JWT was created, specified in Unix Epoch time.|
|exp||Expiration time of JWT, specified in Unix Epoch time. A clock skew of 60 seconds is allowed. For security reasons, tokens must expire one hour or less after they are issued. The server will enforce this.|
|aud||Audience of the claim. Value must be the Admin REST API Base URL. This can be obtained from the adminRestApiUrl property of the Admin API key file.|
The following example shows a sample JWT claims set.
JWT SignatureJWT Signature
A JWT signature must be completed with the RS256 algorithm, using the API Access Key.
Token ExpirationToken Expiration
Tokens must expire one hour or less after they are issued, otherwise the request is rejected. A clock skew of 60 seconds is allowed.