Skip to content

Token Management Service – Samples

Generating the X-SPACE-AUTH-KEY

  1. Encode the following combination of user name/ID and password/secret using Base64:

    1
    <client_id>:<client_secret>
    
  2. Build the <X-SPACE-AUTH-KEY> using the word Basic, followed by a space and the encoding result, e.g.:

    1
    X-SPACE-AUTH-KEY : Basic <ZGlvcDEtaGVybWlvbmUtaGVybWlvbmU6c2RqaGZhc2RqaGZqYXNkaGZqa2FzZGhmams=>
    

Getting a Token to Access User IoT Data

Use the following endpoint:

1
POST api/technicaltokenmanager/v3/oauth/token

Define the following header keys, replace <X-SPACE-AUTH-KEY> with your authorization key, which is generated as explained above:

1
2
Content-Type: application/json
X-SPACE-AUTH-KEY : <X-SPACE-AUTH-KEY>

Request example:

1
2
3
4
5
6
{
  "appName": "application_x",
  "appVersion": "1.0.0",
  "hostTenant": "host_tenant",
  "userTenant": "user_tenant_1"
}

Sample response:

1
2
3
4
5
6
7
8
{
    "access_token": "eyJhbGciOiJSUzI1NiIsImtpZCI6ImtleS1pZC0xIiwidHlwIjoiSldUIn0.eyJqdGkiOiI4NjhhOTViYmJkZGM0ZmQ4YTU3ZTM0MGMyYmI3ZWJiNiIsInN1YiI6InNuZC1jbGllbnQiLCJzY29wZSI6WyJkZXAuZG93biIsImdyLnUiLCJwdHMuc2kiLCJkZXAuYWQiLCJ0bS50LnIiLCJkZXAuZHJlZyIsImdyLmMiLCJpbS5nLmQiLCJnci5kIiwiaW0uZy5jIiwiYXZzLnZhbCIsImNkcy5yIiwibm9zZS5zZSIsInJlcC5yIiwicmVwLnN1IiwiY2RzLnciLCJjZkFwcHMubWwiLCJnci5yIiwiY3N0LnIiLCJwdWIuciIsImltLmcuciIsInJlcC5kb3duIiwicHJ2LmcudSIsInBydi5nLnIiLCJpbS5nLnUiLCJwdWIucHQiLCJhdnMuY2tzLmNwIiwiaWFtLWFjdGlvbi5jbGllbnRfY3JlZGVudGlhbHMudGVuYW50LWltcGVyc29uYXRpb24iLCJwcnYuZy5kIiwicHJ2LmcuYyIsImRlcC5yZWciLCJwdWIucGEiLCJkZXAudXBnIiwicmVwLnVwIiwicHRzLnV0IiwicHViLnN1IiwicmVwLm11IiwiY2ZBcHBzLnNvIiwiZGVwLnVyZWciLCJjZkFwcHMuc3MiLCJkZXAuYXVkIiwicmVwLnV2IiwidXRzLnN1IiwicHRzLnBjIiwicHJ2LnIiLCJjZkFwcHMuYXIiLCJyZXAuYXAiLCJwcnYuYyIsInJlcC52dSJdLCJjbGllbnRfaWQiOiJzbmQtY2xpZW50IiwiY2lkIjoic25kLWNsaWVudCIsImF6cCI6InNuZC1jbGllbnQiLCJncmFudF90eXBlIjoiY2xpZW50X2NyZWRlbnRpYWxzIiwicmV2X3NpZyI6IjZmZjVlMDkwIiwiaWF0IjoxNTQyODY0NjYzLCJleHAiOjE1NDI4NjY0NjMsImlzcyI6Imh0dHBzOi8vY29yZS5waWFtLmV1MS1pbnQubWluZHNwaGVyZS5pby9vYXV0aC90b2tlbiIsInppZCI6ImNvcmUiLCJhdWQiOlsibm9zZSIsImNzdCIsImlhbS1hY3Rpb24uY2xpZW50X2NyZWRlbnRpYWxzIiwic25kLWNsaWVudCIsInRtLnQiLCJnciIsImltLmciLCJkZXAiLCJwdHMiLCJwcnYuZyIsImNkcyIsInV0cyIsInBydiIsImF2cy5ja3MiLCJjZkFwcHMiLCJyZXAiLCJwdWIiLCJhdnMiXSwidGVuIjoiY29yZSIsInNjaGVtYXMiOlsidXJuOnNpZW1lbnM6bWluZHNwaGVyZTppYW06djEiXSwiY2F0IjoiY2xpZW50LXRva2VuOnYxIn0.eClNyplodSUU9MFJS2eM-Mc_pU2niRCDtEGZARxrq0UhseZ4DbqMwOIW4wEFqqBvNN-mdYS6XumnnFDn4IFEnJyM0DNcCzTucjqVS4RicRsa8lKFODSdQs1wO7FOETDR0_4QHFFvhB54WEsDDzlint67dhZN44nVdM2KLNJ9wkt949MWJtUZy1VrJNz-pRq_F-5Nvh6ZCA0E_DAmCEcyR0wrxY3A2QfZhYneh8VnkTPknWOtPFdpmWp7IXfNrUmiNRMI7EwY9HNTQ4GZsGkZhDdpOOrDIxZkDfTfoUgaLGtzEX8RtLUXPmE2W3e",
    "token_type": "bearer",
    "timestamp": "1559120938825",
    "expires_in": 1799,
    "scope": "cst.r uts.su im.usr.r em.rep.r tm.st.r tm.t.r agm.r iam-action.client_credentials.tenant-impersonation uts.ri asm.r atm.r uts.rc uaa.offline_token emds.ent.r asm.rep.r",
    "jti": "3fcf2a5e-cc76-11e7-abc4-cec278b6b50a"
}

Getting Tokens to Access Multiple Users' IoT Data

Use the following endpoint:

1
POST api/technicaltokenmanager/v3/oauthTokens

Define the following header keys, replace <X-SPACE-AUTH-KEY> with your authorization key, which is generated as explained above:

1
2
Content-Type: application/json
X-SPACE-AUTH-KEY : <X-SPACE-AUTH-KEY>

Request example:

1
2
3
4
5
6
7
8
9
{
  "appName": "application_x",
  "appVersion": "1.0.0",
  "hostTenantId": "host_tenant",
  "userTenantIds": [
    "user_tenant_a",
    "user_tenant_b"
  ]
}

Sample response:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
{
  "oauthTokens": [
    {
      "userTenantId": "user_tenant_a",
      "token": {
        "access_token": "eyJhbGciOiJSUzI1NiIsImprdSI6Imh0dHBzOi8vZGJkZTEubG9jYWxob3N0OjgwODAvdWFhL3Rva2VuX2tleXMiLCJraWQiOiJrZXktaWQtMiIsInR5cCI6IkpXVCJ9.eyJqdGkiOiJjMTk4MTIxMjY4MWY0NmM0YmNiYzNhYWI1MDc2NGYzMCIsInN1YiI6ImRiZGUxLXFldGttMS0xLjAuMDU1Iiwic2NvcGUiOlsibWRzcDpjb3JlOkFkbWluM3JkUGFydHlUZWNoVXNlciJdLCJjbGllbnRfaWQiOiJkYmRlMS1xZXRrbTEtMS4wLjA1NSIsImNpZCI6ImRiZGUxLXFldGttMS0xLjAuMDU1IiwiYXpwIjoiZGJkZTEtcWV0a20xLTEuMC4wNTUiLCJncmFudF90eXBlIjoiY2xpZW50X2NyZWRlbnRpYWxzIiwicmV2X3NpZyI6Ijg5YTFhZDNkIiwiaWF0IjoxNTU5MDUyNTg0LCJleHAiOjE1NTkwNTQzODQsImlzcyI6Imh0dHBzOi8vZGJkZTEucGlhbS5ldTEtYi5taW5kc3BoZXJlLmlvL29hdXRoL3Rva2VuIiwiemlkIjoiZGJkZTEiLCJhdWQiOlsiZGJkZTEtcWV0a20xLTEuMC4wNTUiXSwidGVuIjoiZGJkZTEiLCJzY2hlbWFzIjpbInVybjpzaWVtZW5zOm1pbmRzcGhlcmU6aWFtOnYxIl0sImNhdCI6ImNsaWVudC10b2tlbjp2MSJ9.zSrnv3ypC9gHPUNGlbAVGxA8tEoGwnOVd2Vk5XNF-XEpf34Fh2JUrG9oYUcyBPeB1pUwOvxxrGuYAFwYk1eGmdAxT0KPL7R2JTbDRPgEPA0hLZN9mw5FL-CTlifzK1isEN_6ePH9y0T2tWCHiUCL5EURcrwrGfP3Xot7Lu2g9ZR-q-ychshsH0HVIZ9GerwRGi5ciO-FI2z8z7omVPojimCbLooLE7V6Kv2mtM5lqStaANxbV1h1ITkiXkEgOpEIRHG6nwqG2LwQybTAIj9MRW-g620qB9PYDYxFcGda",
        "token_type": "bearer",
        "timestamp": "1559120938825",
        "expires_in": 1799,
        "scope": "cst.r uts.su im.usr.r em.rep.r tm.st.r tm.t.r agm.r iam-action.client_credentials.tenant-impersonation uts.ri asm.r atm.r uts.rc uaa.offline_token emds.ent.r asm.rep.r",
        "jti": "3fcf2a5e-cc76-11e7-abc4-cec278b6b50a"
      }
    }{
      "userTenantId": "user_tenant_b",
      "token": {
        "access_token": "eyJhbGciOiJSUzI1NiIsImprdSI6Imh0dHBzOi8vZGJkZTEubG9jYWxob3N0OjgwODAvdWFhL3Rva2VuX2tleXMiLCJraWQiOiJrZXktaWQtMiIsInR5cCI6IkpXVCJ9.eyJqdGkiOiJjMTk4MTIxMjY4MWY0NmM0YmNiYzNhYWI1MDc2NGYzMCIsInN1YiI6ImRiZGUxLXFldGttMS0xLjAuMDU1Iiwic2NvcGUiOlsibWRzcDpjb3JlOkFkbWluM3JkUGFydHlUZWNoVXNlciJdLCJjbGllbnRfaWQiOiJkYmRlMS1xZXRrbTEtMS4wLjA1NSIsImNpZCI6ImRiZGUxLXFldGttMS0xLjAuMDU1IiwiYXpwIjoiZGJkZTEtcWV0a20xLTEuMC4wNTUiLCJncmFudF90eXBlIjoiY2xpZW50X2NyZWRlbnRpYWxzIiwicmV2X3NpZyI6Ijg5YTFhZDNkIiwiaWF0IjoxNTU5MDUyNTg0LCJleHAiOjE1NTkwNTQzODQsImlzcyI6Imh0dHBzOi8vZGJkZTEucGlhbS5ldTEtYi5taW5kc3BoZXJlLmlvL29hdXRoL3Rva2VuIiwiemlkIjoiZGJkZTEiLCJhdWQiOlsiZGJkZTEtcWV0a20xLTEuMC4wNTUiXSwidGVuIjoiZGJkZTEiLCJzY2hlbWFzIjpbInVybjpzaWVtZW5zOm1pbmRzcGhlcmU6aWFtOnYxIl0sImNhdCI6ImNsaWVudC10b2tlbjp2MSJ9.zSrnv3ypC9gHPUNGlbAVGxA8tEoGwnOVd2Vk5XNF-XEpf34Fh2JUrG9oYUcyBPeB1pUwOvxxrGuYAFwYk1eGmdAxT0KPL7R2JTbDRPgEPA0hLZN9mw5FL-CTlifzK1isEN_6ePH9y0T2tWCHiUCL5EURcrwrGfP3Xot7Lu2g9ZR-q-ychshsH0HVIZ9GerwRGi5ciO-FI2z8z7omVPojimCbLooLE7V6Kv2mtM5lqStaANxbV1h1ITkiXkEgOpEIRHG6nwqG2LwQybTAIj9MRW-g620qB9PYDYxFcGdb",
        "token_type": "bearer",
        "timestamp": "1559120938828",
        "expires_in": 1799,
        "scope": "cst.r uts.su im.usr.r em.rep.r tm.st.r tm.t.r agm.r iam-action.client_credentials.tenant-impersonation uts.ri asm.r atm.r uts.rc uaa.offline_token emds.ent.r asm.rep.r",
        "jti": "3fcf2a5e-cc76-11e7-abc4-cec278b6b50b"
      }
    }
  ]
}

Getting a List of all Authorized Users of an Application

Use the following endpoint:

1
GET api/technicaltokenmanager/v3/userTenants

Info

This endpoint expects a token in the authorization header with bearer scheme. The token can be obtained from /oauth/token using the operator tenant as userTenant and hostTenant.

Sample response:

1
2
3
4
5
6
7
8
{
  "userTenants": [
    {
      "id": "user_tenant_1",
      "id": "user_tenant_2"
    }
  ]
}

Info

This endpoint only returns up to 100 tenant IDs per request.

Getting Tokens to Access all Users' IoT Data

  1. Request a token from the /oauth/token endpoint as described in Getting a Token to Access User IoT Data using the tenant where your app runs on as userTenant and hostTenant.

    Request example:

    1
    2
    3
    4
    5
    6
    {
      "appName": "application_x",
      "appVersion": "1.0.0",
      "hostTenant": "operator_tenant",
      "userTenant": "operator_tenant"
    }
    
  2. Get a list of all author tenants from the /userTenants endpoint as described in Getting a List of all Authorized Users of an Application.

    Info

    This endpoint only returns up to 100 tenant IDs per request.

  3. Request up to 5 access tokens from the /oauthTokens endpoint as described in Getting an Array of Tokens to Access User IoT Data. Repeat this step if required to get access tokens for all user tenants.

    Request example:

    1
    2
    3
    4
    5
    6
    7
    8
    9
    {
      "appName": "application_x",
      "appVersion": "1.0.0",
      "hostTenantId": "host_tenant",
      "userTenantIds": [
        "user_tenant_a",
        "user_tenant_b"
      ]
    }
    

Best Practices to Issue Tokens

  • Cache tokens and only issue a new one if they expire.
    Although the Token Manager API provides caching, it is recommended to implement your own caching to overcome the network latency on the request round trip.
  • Do not expose tokens via endpoints.
  • Do not print the service credentials in the application log.

Any questions left?

Ask the community


Except where otherwise noted, content on this site is licensed under the MindSphere Development License Agreement.