Access and authentication for the REST API
Requests to all endpoints in the REST API must be on behalf of a BMC Helix Portal user. Before processing a request, the API authenticates the request to determine the user.
After successful authentication, a permission check decides if the user is allowed to perform the requested action.
The process of authentication is based on various tokens that are obtained by running the endpoints described below.
Getting the JSON Web Token
To run an endpoint, you must first authenticate into the product by getting the JSON Web Token (JWT). The JWT is an access token that enables users to make authenticated calls to secured API endpoints. On every request, the token must be provided in the request as a header. The passed token informs the API that the bearer of the token has been authorized to both access the API and perform authorized actions defined in the user permissions.
When you run the endpoint for getting the refresh token, in the response you get the initial JWT and the refresh token together.
These tokens remain valid for a limited duration:
- The refresh token expires after 24 hours.
- The JWT expires after 15 minutes.
You can start running endpoints with the initial JWT received in the response. However, without the refresh token, authentication can be cumbersome for long running applications that need to make multiple requests. This is because after the JWT expires, the user gets logged out of the system and needs to log in again. As a result, after every 15 minutes, the application will need to get the initial JWT by providing the required credentials.
Therefore, we recommend that you use the following two-step process:
- Get the refresh token
- Get the JWT using the refresh token received in the earlier step.
The application can use the refresh token (stored in a variable) to make the second call to get the JWT until the refresh token expires, after which the refresh token must be renewed.
Protect the refresh token and the JWT as securely as a password. If any of these tokens get leaked before the expiry time, prevent unauthorized access by disabling the tenant-level or user-level access key.
Getting the refresh token
The refresh token enables you to reauthenticate without the need for manual user intervention.
In the refresh token endpoint response, you receive:
token: Represents the refresh token
json_web_token: Represents the JWT
To obtain the refresh token, run the following endpoint:
Getting the JWT using the refresh token
If an application needs to make multiple requests, it can get the refresh token (expiry: 24 hours) and use this token to get the JWT.
To obtain the JWT, run the following endpoint:
A request to generate a token with incorrect credentials, or for a user that has been deactivated, results in a
401 Unauthorized HTTP status code.
A standard endpoint request that omits a valid, unexpired token also results in a
401 Unauthorized status code.
After successful authentication of a user, the endpoints check if the user has the permission to perform the requested action. Users require the same permissions as they would for attempting the action through the equivalent user interface. If the user lacks the required permission, a
403 Forbidden status code is returned from the endpoint.