Skip to main content
Version: 8.6

Authentication

Authenticate to access the Tasklist API.

Authentication in the cloud

To access the API endpoint, you need an access token.

Your client must send a header in each request:

Authorization: Bearer <Token>

For example, send a request using curl:

curl -X POST -H "Content-Type: application/json" -H "Authorization: Bearer <TOKEN>" -d '{"query": "{tasks(query:{}){name}}"}' http://localhost:8080/graphql

How to obtain the access token

You must obtain a token to use the Tasklist API. When you create a Tasklist client, you get all the information needed to connect to Tasklist.

Refer to our guide on building your own client.

The following settings are needed:

NameDescriptionDefault value
client idName of your registered client-
client secretPassword for your registered client-
audiencePermission name; if not given use default valuetasklist.camunda.io
authorization server urlToken issuer server-

Send a token issue POST request to the authorization server with the following content:

{
"client_id": "<client-id>",
"client_secret": "<client-secret>",
"audience": "<audience>",
"grant_type": "client_credentials"
}

Refer to the following example with curl:

curl -X POST --header 'content-type: application/json' --data '{"client_id": "<client-id>", "client_secret":"<client-secret>","audience":"<audience>","grant_type":"client_credentials"}' https://<authorization server url>

If the authentication is successful, the authorization server sends back the access token, when it expires, scope, and type:

{
"access_token": "ey...",
"scope": "...",
"expires_in": 86400,
"token_type": "Bearer"
}

Authentication for Self-Managed cluster

Authentication via Identity JWT access token

The authentication is described in Tasklist Configuration - Authentication.

note

When authenticating via cookie, note that Cross-Site Request Forgery (CSRF) protection must be disabled to allow this method of authentication. In a Camunda Self-Managed cluster, set the configuration property camunda.tasklist.csrfPreventionEnabled to false.

Another way to access the Tasklist API in a Self-Managed cluster is to send cookie headers in each request. This works for scenarios where authentication is managed by Tasklist and not by Identity. The cookie can be obtained by using the API endpoint /api/login:

Example:

  1. Log in as user 'demo' and store the cookie in the file cookie.txt.
curl --request POST 'http://localhost:8080/api/login?username=demo&password=demo' \
--cookie-jar cookie.txt
  1. Send the cookie as a header in each API request. In this case, request all process definitions.
curl --request POST 'http://localhost:8080/v1/process-definitions/search' \
--cookie cookie.txt \
--header 'Content-Type: application/json' -d '{}'