API Authentication for CyberArk Identity Security Platform Shared Services
This topic describes the REST APIs used to authenticate to the CyberArk Identity Security Platform Shared Services and how to use them in your service's REST APIs for automating tasks.
Most REST API requests require an authentication token.
In CyberArk Identity Security Platform Shared Services, API authentication is defined through Identity Administration where you define the following for non-interactive API:
A dedicated API Service user, for non-interactive API. It is recommended to have a separate dedicated user for API activities based on the Service user . This user is dedicated to API and automation tasks, has least privilege access permissions, is not assigned MFA policies, and cannot access the Identity Administration User Portal.
Authentication method, for non-interactive API.Currently, grant_type=client_credentials is supported for non-interactive API.
For interactive API, refer to CyberArk Identity API documentation.
CyberArk recommends to secure credentials in a centrally stored, logged and managed solution, such as CyberArkSecrets Manager
|Authentication - OAuth example||
Use the resulting access token as Authorization bearer token.
Step 1: Create a Service user for API requests
In the Identity Administration Portal, create a service user that is an OAuth confidential client.
Go to Core Services > Users , then click Add User and complete the following fields:
In the Status checklist, select the Is OAuth confidential client checkbox.
The following checkboxes are selected by default:
Is Service User
Password never expires
Click Create User.
Assign the newly created Service user(s) to the your service role that enables them to send requests to the your service APIs.
Go to Core Services > Roles, then access the relevant role and add the Service user(s) as a member.
Run the request for the platform access token.
User name. The user login name as displayed in the Identity Administration portal Users list: login_name@<suffix>
Password. The access password defined for the user
The API response provides the requested token:
String representing the requested bearer token. Learn about access tokens.
The validity period for the received token.
The default validity period is 5 hours. The admin can set the access token lifetime on the OIDC custom app, described in how to set the access token lifetime.
Store the bearer token received in the response access_token field and include it in the authorization header of requests to your service APIs.
Send requests to your service APIs
Use the token you created in the previous step as Authorization bearer token when sending requests to your service APIs.