Skip to main content
Version: 8.6

Authentication

All Web Modeler API requests require authentication. To authenticate, generate a JSON Web Token (JWT) depending on your environment and include it in each request.

Generate a token

  1. Create client credentials by clicking Console > Organization > Administration API > Create new credentials.
  2. Add permissions to this client for Web Modeler API.
  3. Once you have created the client, capture the following values required to generate a token:
    NameEnvironment variable nameDefault value
    Client IDCAMUNDA_CONSOLE_CLIENT_ID-
    Client SecretCAMUNDA_CONSOLE_CLIENT_SECRET-
    Authorization Server URLCAMUNDA_OAUTH_URLhttps://login.cloud.camunda.io/oauth/token
    AudienceCAMUNDA_CONSOLE_OAUTH_AUDIENCEapi.cloud.camunda.io
    caution

    When client credentials are created, the Client Secret is only shown once. Save this Client Secret somewhere safe.

  4. Execute an authentication request to the token issuer:
    curl --request POST ${CAMUNDA_OAUTH_URL} \
    --header 'Content-Type: application/x-www-form-urlencoded' \
    --data-urlencode 'grant_type=client_credentials' \
    --data-urlencode "audience=${CAMUNDA_CONSOLE_OAUTH_AUDIENCE}" \
    --data-urlencode "client_id=${CAMUNDA_CONSOLE_CLIENT_ID}" \
    --data-urlencode "client_secret=${CAMUNDA_CONSOLE_CLIENT_SECRET}"
    A successful authentication response looks like the following:
    {
    "access_token": "<TOKEN>",
    "expires_in": 300,
    "refresh_expires_in": 0,
    "token_type": "Bearer",
    "not-before-policy": 0
    }
  5. Capture the value of the access_token property and store it as your token.

Use a token

Include the previously captured token as an authorization header in each request: Authorization: Bearer <TOKEN>.

For example, to send a request to the Web Modeler API's /info endpoint:

curl --header "Authorization: Bearer ${TOKEN}" \
https://modeler.cloud.camunda.io/api/v1/info

A successful response includes information about the environment. For example:

{
"version": "v1",
"authorizedOrganization": "12345678-ABCD-DCBA-ABCD-123456789ABC",
"createPermission": true,
"readPermission": true,
"updatePermission": true,
"deletePermission": false
}

Token expiration

Access tokens expire according to the expires_in property of a successful authentication response. After this duration, in seconds, you must request a new access token.