Skip to main content
Version: 8.8 (unreleased)

Authentication

All Tasklist API requests require authentication. To authenticate, generate a JSON Web Token (JWT) and include it in each request.

Generate a token

  1. Create client credentials in the Clusters > Cluster name > API tab of Camunda Console.
  2. Add permissions to this client for Tasklist.
  3. Once you have created the client, capture the following values required to generate a token:
    NameEnvironment variable nameDefault value
    Client IDZEEBE_CLIENT_ID-
    Client SecretZEEBE_CLIENT_SECRET-
    Authorization Server URLZEEBE_AUTHORIZATION_SERVER_URLhttps://login.cloud.camunda.io/oauth/token
    Tasklist REST AddressCAMUNDA_TASKLIST_BASE_URL-
    caution

    When client credentials are created, the Client Secret is only shown once. Save this Client Secret somewhere safe.

  4. Execute an authentication request to the token issuer: 
    curl --request POST ${ZEEBE_AUTHORIZATION_SERVER_URL} \
        --header 'Content-Type: application/x-www-form-urlencoded' \
        --data-urlencode 'grant_type=client_credentials' \
        --data-urlencode 'audience=tasklist.camunda.io' \
        --data-urlencode "client_id=${ZEEBE_CLIENT_ID}" \
        --data-urlencode "client_secret=${ZEEBE_CLIENT_SECRET}"
    A successful authentication response looks like the following: 
    {
      "access_token": "<TOKEN>",
      "expires_in": 300,
      "refresh_expires_in": 0,
      "token_type": "Bearer",
      "not-before-policy": 0
    }
  5. Capture the value of the access_token property and store it as your token.

Use a token

Include the previously captured token as an authorization header in each request: Authorization: Bearer <TOKEN>.

For example, to send a request to the Tasklist API's "Search tasks" endpoint:

tip

The ${CAMUNDA_TASKLIST_BASE_URL} variable below represents the URL of the Tasklist API. You can capture this URL when creating an API client. You can also construct it as https://${REGION}.tasklist.camunda.io/${CLUSTER_ID}.

curl --request POST ${CAMUNDA_TASKLIST_BASE_URL}/v1/tasks/search \
   --header "Authorization: Bearer ${TOKEN}" \
   --header 'Content-Type: application/json' \
   --data-raw '{}'

A successful response includes matching tasks. For example:

[
  {
    "id": "12345",
    "name": "Do something",
    ...
  }
]

Token expiration

Access tokens expire according to the expires_in property of a successful authentication response. After this duration, in seconds, you must request a new access token.

note

When authenticating via cookie, note that Cross-Site Request Forgery (CSRF) protection must be disabled to allow this method of authentication. In a Camunda Self-Managed cluster, set the configuration property camunda.tasklist.csrfPreventionEnabled to false.

Another way to access the Tasklist API in a Self-Managed cluster is to send cookie headers in each request. This works for scenarios where authentication is managed by Tasklist and not by Identity. The cookie can be obtained by using the API endpoint /api/login:

Example:

  1. Log in as user 'demo' and store the cookie in the file cookie.txt.
curl --request POST 'http://localhost:8080/api/login?username=demo&password=demo' \
   --cookie-jar cookie.txt
  1. Send the cookie as a header in each API request. In this case, request all process definitions.
curl --request POST 'http://localhost:8080/v1/process-definitions/search' \
   --cookie cookie.txt \
   --header 'Content-Type: application/json' -d '{}'