Authentication
All Optimize API requests except the health readiness endpoint require authentication. To authenticate, generate a JSON Web Token (JWT) and include it in each request.
Generate a token
- SaaS
- Self-Managed
- Create client credentials in the Clusters > Cluster name > API tab of Camunda Console.
- Add permissions to this client for Optimize.
- Once you have created the client, capture the following values required to generate a token:
Name Environment variable name Default value Client ID ZEEBE_CLIENT_ID- Client Secret ZEEBE_CLIENT_SECRET- Authorization Server URL ZEEBE_AUTHORIZATION_SERVER_URLhttps://login.cloud.camunda.io/oauth/tokenOptimize REST Address CAMUNDA_OPTIMIZE_BASE_URL- cautionWhen client credentials are created, the
Client Secretis only shown once. Save thisClient Secretsomewhere safe. - Execute an authentication request to the token issuer:A successful authentication response looks like the following:
curl --request POST ${ZEEBE_AUTHORIZATION_SERVER_URL} \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'grant_type=client_credentials' \
--data-urlencode 'audience=optimize.camunda.io' \
--data-urlencode "client_id=${ZEEBE_CLIENT_ID}" \
--data-urlencode "client_secret=${ZEEBE_CLIENT_SECRET}"{
"access_token": "<TOKEN>",
"expires_in": 300,
"refresh_expires_in": 0,
"token_type": "Bearer",
"not-before-policy": 0
} - Capture the value of the
access_tokenproperty and store it as your token.
- Configure the
api.audiencesetting in your Optimize installation to match the audience property of the Optimize API API in Identity. - Add an M2M application in Identity.
- Add permissions to this application for Optimize API.
- Capture the
Client IDandClient Secretfrom the application in Identity. - Generate a token to access the REST API. Provide the
client_idandclient_secretfrom the values you previously captured in Identity.A successful authentication response looks like the following:curl --location --request POST 'http://localhost:18080/auth/realms/camunda-platform/protocol/openid-connect/token' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode "client_id=${CLIENT_ID}" \
--data-urlencode "client_secret=${CLIENT_SECRET}" \
--data-urlencode 'grant_type=client_credentials'{
"access_token": "<TOKEN>",
"expires_in": 300,
"refresh_expires_in": 0,
"token_type": "Bearer",
"not-before-policy": 0
} - Capture the value of the
access_tokenproperty and store it as your token.
The Optimize API can also be configured in a Self-Managed environment to authenticate using a single shared access token. See Public API Configuration for the configuration required to access the public API using a specific token.
Use a token
Include the previously captured token as an authorization header in each request: Authorization: Bearer <TOKEN>.
For example, to send a request to the Optimize API's "Get dashboard IDs" endpoint:
- SaaS
- Self-Managed
The ${CAMUNDA_TASKLIST_BASE_URL} variable below represents the URL of the Optimize API. You can capture this URL when creating an API client. You can also construct it as https://${REGION}.optimize.camunda.io/${CLUSTER_ID}.
The ${CAMUNDA_OPTIMIZE_BASE_URL} variable below represents the URL of the Optimize API. You can configure this value in your Self-Managed installation. The default value is http://localhost:8083.
curl --header "Authorization: Bearer ${TOKEN}" \
-G --data-urlencode "collectionId=${COLLECTION_ID}" \
${CAMUNDA_OPTIMIZE_BASE_URL}/api/public/dashboard
A successful response includes dashboard IDs. For example:
[
{
"id": "11111111-1111-1111-1111-111111111111"
},
{
"id": "22222222-2222-2222-2222-222222222222"
}
]
Token expiration
Access tokens expire according to the expires_in property of a successful authentication response. After this duration, in seconds, you must request a new access token.