Skip to main content
Version: Next


Authenticate to access the Tasklist API.

Authentication in the cloud

To access the API endpoint, you need an access token.

Your client must send a header in each request:

Authorization: Bearer <Token>

For example, send a request using curl:

curl -X POST -H "Content-Type: application/json" -H "Authorization: Bearer <TOKEN>" -d '{"query": "{tasks(query:{}){name}}"}' http://localhost:8080/graphql

How to obtain the access token

You must obtain a token to use the Tasklist API. When you create a Tasklist client, you get all the information needed to connect to Tasklist.

Refer to our guide on building your own client.

The following settings are needed:

NameDescriptionDefault value
client idName of your registered client-
client secretPassword for your registered client-
audiencePermission name; if not given use default
authorization server urlToken issuer server-

Send a token issue POST request to the authorization server with the following content:

"client_id": "<client-id>",
"client_secret": "<client-secret>",
"audience": "<audience>",
"grant_type": "client_credentials"

Refer to the following example with curl:

curl -X POST --header 'content-type: application/json' --data '{"client_id": "<client-id>", "client_secret":"<client-secret>","audience":"<audience>","grant_type":"client_credentials"}' https://<authorization server url>

If the authentication is successful, the authorization server sends back the access token, when it expires, scope, and type:

"access_token": "ey...",
"scope": "...",
"expires_in": 86400,
"token_type": "Bearer"

Authentication for Self-Managed cluster

Authentication via Identity JWT access token

The authentication is described in Tasklist Configuration - Authentication.


When authenticating via cookie, note that Cross-Site Request Forgery (CSRF) protection must be disabled to allow this method of authentication. In a Camunda Self-Managed cluster, set the configuration property camunda.tasklist.csrfPreventionEnabled to false.

Another way to access the Tasklist API in a Self-Managed cluster is to send cookie headers in each request. The cookie can be obtained by using the API endpoint /api/login. Take the following steps:

  1. Log in as user 'demo' and store the cookie in the file cookie.txt:
curl -c cookie.txt -X POST 'http://localhost:8080/api/login?username=demo&password=demo'
  1. Send the cookie (as a header) in each API request. In this case, request all process definitions:
curl -b cookie.txt -X POST 'http://localhost:8080/v1/process-definitions/search' -H 'Content-Type: application/json' -d '{}'