Authentication for the Infrastructure Management REST API

This section explains how the REST API requests are authenticated. The implementation of the authentication mechanism varies according to your Infrastructure Management setup.

Authentication mechanism

A REST API request is authenticated using a user name and password. You have the option to use a tenant name with the user name and password for some REST API requests. The user credentials are passed through the HTTP header. Based on your Infrastructure Management setup, the user credentials are authenticated against the information in the Infrastructure Management Database, the LDAP server, or Remedy SSO.

The authentication mechanism uses the following formats to encode the user credentials:

URL-encoded format

In the URL-encoded format, a successful authentication generates an authentication token. You can use this authentication token in your subsequent REST API requests. The token has a time-limited validity. You can configure the validity time of the authentication token by updating the value of the loginExpiryInterval_hrs property set in the file. In a multiple server environment, you must set this property in all the servers. The file is located in the pw\pronto\conf directory. By default, the value of the loginExpiryInterval_hrs property is 24.

Expiry settings is controlled by Remedy SSO settings

The loginExpiryInterval_hrs property settings is controlled by the expiry settings configured in Remedy SSO.

Authenticating user credentials using the TSWS APIs

The TrueSight Web Service (TSWS) API enables developers to integrate the Infrastructure Management data with the TrueSight Presentation Server. This API uses standard HTTP GET and POST methods to retrieve data from the server, and all responses from the server are in JSON format. Although REST API messages are sent and received using HTTP, BMC recommends that you implement REST using HTTPS for increased security. This security is important if the client passes sensitive information, such as authentication credentials over the network. 

The generic syntax of the URL to authenticate user credentials using TSWS API is as follows:



The REST client internally makes an authentication login API call each time it is used, passing the username/password specified in the command line. Therefore, do not use the REST client to directly call the login API. 

For more information, see the following topics:

  • Authentication and permissions in the TSWS REST API
  • TSWS authentication
  • Validating the token

Base64-encoded format

In this format, a concatenated string of the user name and password separated by a colon (:) is created. This string is encoded in the Base64 format. A REST API client uses this encoded string as the user credentials in the HTTP header. Every REST API request must have the Base64-encoded format of the user credentials in the HTTP header. If you decide to use this format, you do not have to run the login API.

For example, if the user name is admin and password is admin, the concatenated string is admin:admin. The Base64 encoded string of admin:admin is YWRtaW46YWRtaW4=. You must use this encoded string as the user credentials in the HTTP header of every REST API request. The use of the Base64 encoded string in the header of a REST API request is as follows:

authorization basic YWRtaW46YWRtaW4=


BMC recommends that you use the Base64 format only when you have SSL configured and if you do not use REST API requests frequently.

Was this page helpful? Yes No Submitting... Thank you