Version: Next

Authentication

All Camunda 8 REST API requests require authentication. To authenticate, generate a JSON Web Token (JWT) depending on your environment and pass it in each request.

Generating a token

SaaS
Self-Managed

Create client credentials in the Clusters > Cluster name > API tab of Camunda Console.
Add permissions to this client for Zeebe.

Upon creating the client, capture the following values required to generate a token:

Name	Environment variable name	Default value
Client ID	`ZEEBE_CLIENT_ID`	-
Client Secret	`ZEEBE_CLIENT_SECRET`	-
Authorization Server URL	`ZEEBE_AUTHORIZATION_SERVER_URL`	`https://login.cloud.camunda.io/oauth/token`
Audience	`ZEEBE_TOKEN_AUDIENCE`	`zeebe.camunda.io`
Zeebe REST Address	`ZEEBE_REST_ADDRESS`	-

tip

When client credentials are created, the Client Secret is only shown once. Save this Client Secret somewhere safe.

Execute an authentication request to the token issuer:

curl --request POST ${ZEEBE_AUTHORIZATION_SERVER_URL} \
    --header 'Content-Type: application/x-www-form-urlencoded' \
    --data-urlencode 'grant_type=client_credentials' \
    --data-urlencode "audience=${ZEEBE_TOKEN_AUDIENCE}" \
    --data-urlencode "client_id=${ZEEBE_CLIENT_ID}" \
    --data-urlencode "client_secret=${ZEEBE_CLIENT_SECRET}"

A successful authentication response looks like the following:

{
  "access_token": "<TOKEN>",
  "expires_in": 300,
  "refresh_expires_in": 0,
  "token_type": "Bearer",
  "not-before-policy": 0
}

Capture the value of the access_token property and store it as your token.

Add an M2M application in Identity.
Add permissions to this application for Camunda 8 REST API.
Capture the Client ID and Client Secret from the application in Identity.

Generate a token to access the REST API. Provide the client_id and client_secret from the values you previously captured in Identity.

curl --location --request POST 'http://localhost:18080/auth/realms/camunda-platform/protocol/openid-connect/token' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode "client_id=${CLIENT_ID}" \
--data-urlencode "client_secret=${CLIENT_SECRET}" \
--data-urlencode 'grant_type=client_credentials'

A successful authentication response looks like the following:

{
  "access_token": "<TOKEN>",
  "expires_in": 300,
  "refresh_expires_in": 0,
  "token_type": "Bearer",
  "not-before-policy": 0
}

Capture the value of the access_token property and store it as your token.

Using a token

Include the captured token as an authorization header in each request: Authorization: Bearer <TOKEN>.

For example, to call the Camunda 8 REST API's /topology endpoint, send the following request against the target environment:

SaaS
Self-Managed

tip

The ${ZEEBE_REST_ADDRESS} variable below represents the URL of the Camunda 8 REST API. You can capture this URL when creating an API client. You can also construct it as https://${REGION}.zeebe.camunda.io/${CLUSTER_ID}/.

tip

The ${ZEEBE_REST_ADDRESS} variable below represents the URL of the Camunda 8 REST API. You can configure this value in your Self-Managed installation. The default value is http://localhost:8080/.

curl --header "Authorization: Bearer ${TOKEN}" \
     ${ZEEBE_REST_ADDRESS}/v2/topology

A successful response would include information about the cluster. For example:

{
  "brokers": [
    ...
  ],
  "clusterSize": 3,
  "partitionsCount": 3,
  "replicationFactor": 3,
  "gatewayVersion": "8.6.0"
}

Token expiration

Access tokens expire according to the expires_in property of a successful authentication response. After this duration, in seconds, you must request a new access token.

Generating a token​

Using a token​

Token expiration​

Generating a token

Using a token

Token expiration