Generating a bearer token

In rare scenarios where you cannot use ZenApiKey authorization tokens, you can generate a bearer token using your IBM watsonx credentials. You can use the bearer token to authenticate to IBM watsonx APIs and access IBM watsonx endpoints.

About this task

Tokens and API keys are subject to authorization checks. Invocation of API endpoints depends on the role and permissions that you are granted on the platform and in services.

Important: Some cURL commands work with only some authentication methods. When SAML SSO is enabled, you must authenticate with an API key.

If you want to authenticate with an API key to generate a bearer token, generate the API key first. For more information, see Generating API keys for authentication.

Procedure

  1. If you want to authenticate with a Red Hat® OpenShift® username and password, but the OpenShift username doesn't contain the prefix IAM#, then you need to update the roksUserPrefix parameter with an empty value to remove the required prefix.
    1. Run the following command to update roksUserPrefix directly from the authentication custom resource (CR):
      oc patch Authentication.operator.ibm.com example-authentication \
--type=merge \
-p '{"spec":{"config":{"roksUserPrefix":""}}}'

      After you run the command, the platform pods should automatically restart.

    2. Run the following command to check that roksUserPrefix was patched:
      oc get Authentication.operator.ibm.com example-authentication \
-o jsonpath='{.spec.config.roksUserPrefix}'

    For more information about roksUserPrefix, see Delegating authentication to OpenShift

  2. Call the API by using one of the following cURL commands. Choose the command that uses the credentials you want to authenticate with.
    • Authenticate with a username and password:
      curl -k -X POST \
    "https://<instance_route>/icp4d-api/v1/authorize" \
    -H "Content-Type: application/json" \
    -d '{
        "username": "<username>",
        "password": "<password>"
}'
    • Authenticate with a password and also validate a self-signed certificate:
      curl -X POST \
    "https://<instance_route>/icp4d-api/v1/authorize" \
    --cacert /<path_to_root-ca>.crt
    -H "Content-Type: application/json" \
    -d "{
        "username": <username>,
        "password": <password>
}"

      If the certificate is signed by a proper root certification authority (CA), then neither the -k nor --cacert parameter are needed because the curl already knows of the root CA.

    • Authenticate with an API key:
      curl -k -X POST \
    "https://<instance_route>/icp4d-api/v1/authorize" \
    -H "Content-Type: application/json" \
    -d '{
      "username":"<username>",
      "api_key":"<api_key>"
}'

    Replace <instance_route> with the details for the service instance. Replace <username>, <password>, and <api_key> with your IBM watsonx credentials. If you use a self-signed certificate, then replace <path_to_root-ca> as well.

This command returns a response that contains the bearer token.
{
    "_messageCode_": "200",
    "message": "Success",
    "accessToken": "<bearer-token>"
}

For more information about the /icp4d-api/v1/authorize endpoints, see Get authorization token in the IBM® Software Hub Platform API.

What to do next

Use the bearer token that you generated in the authorization header of subsequent API calls.

curl -H "Authorization: Bearer <token>" "https://<platform_instance_route>/<endpoint>"