API token authentication for CyberArk Identity Security Platform Shared Services

This topic describes how to configure a service account for the platformtoken REST API, which you can call to get a bearer token for authenticating to CyberArk Identity Security Platform Shared Services (ISPSS) APIs. You can use the token to authenticate requests to these services:

Service name	Service API URL
Access control policies	For access policy management in the Administration space `https://<subdomain>.uap.cyberark.cloud/api`
Cloud Visibility (CV)	`https://<subdomain>.cem.cyberark.cloud/api`
Connector Management	`https://<subdomain>.connectormanagement.cyberark.cloud/api`
Privilege Cloud	`https://<subdomain>.privilegecloud.cyberark.cloud/PasswordVault/API`
Secrets Hub	`https://<subdomain>.secretshub.cyberark.cloud/api`
Secure Cloud Access (SCA)	`https://<subdomain>.sca.cyberark.cloud/api`
Secure Infrastructure Access (SIA)	`https://<subdomain>.dpa.cyberark.cloud/api`

To authenticate with the services' APIs, add the token returned from the platformtoken endpoint as an Authorization header:

Authorization: Bearer <token>

Where <token> is the value of access_token returned in the platformtoken response.

Note
For information on how to configure other authentication methods, see the Developer resources documentation.

Step 1: Create an ISPSS service account

In the Identity Administration portal, create an OAuth service user:

Go to Core Services > Users.
Click Add User and fill out the following fields:
- Login name
- Display name
- Password
Note
You need the Login name and Password values in Step 2 below.
In the Status checklist, select the Is OAuth confidential client checkbox.
The following checkboxes are automatically selected:
- Is Service User
- Password never expires
Click Create User.
To enable authenticating with the token to the ISPSS APIs, add the service user to required services' roles:
Go to Core Services > Roles, then select the relevant role and add the service user as a member. For example, to enable authenticating to SCA APIs, add the service user to the SCAApiFullAccess or SCAApiReadOnly roles (see ISPSS user roles for more information).

Note
Service users are not displayed in the list of active users as they do not access the Identity Administration User Portal. To view service users, click All Users or All Service Users.

Step 2: Get the bearer token

To get a bearer token for ISPSS APIs, call the platformtoken endpoint. The endpoint returns a JSON object with the token used to authenticate ISPSS API calls (in the access_token field).

Request URL

POST https://<identity-tenant-id>.id.cyberark.cloud/oauth2/platformtoken

Request body

A URL-encoded form with the following fields:

grant_type: must be client_credentials
client_id: the login name of the service account you created in Step 1 above
client_secret: the password of the service account you created in Step 1 above

Example request

The request below returns a token for a service account with the these credentials:

username: [email protected]
password: myAPIpassword1!

Success response code

200

Success response body

A JSON object with the bearer token specified in the access_token field.

Example response

Step 3: Send requests to your service APIs

Add the token returned in Step 2 above as an authorization bearer token header to your service API requests. For example:

Back to CyberArk API Home