REST-API Token based authentication March 15, 2026 11:44 Updated Token based authentication is one of the 4 ways available to use in context of REST-API. Other than token, you can user basic auth, OAuth2.0 and JSON Web Token. For an overview, please consult REST-API Authentication. Token-based authentication is a proprietary method developed by BOC Group that enables user access to the REST API using a token instead of a username and password. This process includes sending a security hash generated from the client’s public identifier, the client’s secret key, a GUID, a request timestamp, and the parameters associated with the request. This approach helps prevent unauthorized access to the API and mitigates issues related to repeated transmissions and abuse of requests.This authentication method is available for Java client applications onlyThis guide will demonstrate a simple authentication and REST-API (get model) call between an BOC Management Office Product and the exemplary third-party REST-API Tool Bruno, but can be easily adapted to your specific needs. The provided example, will not work for every query and should only provide a starting point for further use. PrerequisitesPlease make sure, that token based authentication is configured correctly in your BOC Management Office Product: ADONIS / ADOGRC 16.0 and up REST-API Settings | ADONIS ADONIS / ADOGRC 15.0 and below REST-API Settings | ADONIS ADOIT 17.0 and up REST-API Settings | ADOIT ADOIT 17.0 and below REST-API Settings | ADOIT In Bruno, define your variables SECRET and IDENTIFIER as environment variables. ExampleRepository read API: GET {URL}/rest/4.0/repos/{repo_id}/models/{model_id}Pre Request Script:const CryptoJS = require("crypto-js") let uuid = require("uuid"); // Fetch the SECRET and IDENTIFIER from Postman variables let REST_SECRET = bru.getEnvVar("SECRET"); let REST_IDENTIFIER = bru.getEnvVar("IDENTIFIER"); // Define static headers for the request let aHeaders = { "x-axw-rest-identifier": REST_IDENTIFIER, "x-axw-rest-guid": uuid.v4(), "x-axw-rest-timestamp": Date.now().toString(), }; // Put the header and query object keys and values in an array and add the SECRET let aRESTTokenCollection = [ ...Object.keys(aHeaders), ...Object.values(aHeaders), REST_SECRET, ]; // Put query parameters into the token req.getUrl((queryParam) => aRESTTokenCollection.push( queryParam.key, decodeURIComponent(queryParam.value) ) ); // Sort by locale "en-US" aRESTTokenCollection.sort((a, b) => a.localeCompare(b, "en-US")); // Create HMAC-SHA512 signature from the stringified collection let aRESTToken = CryptoJS.HmacSHA512( aRESTTokenCollection.join(""), REST_SECRET ); // Encode the signature and add it as token to the headers aHeaders["x-axw-rest-token"] = aRESTToken.toString(CryptoJS.enc.Base64); // if it's a post/patch method add the application/json header if (req.getMethod == "POST" || req.getMethod == "PATCH") { aHeaders["Content-Type"] = "application/json"; } //if it's a put method add the */* header if (req.getMethod == "PUT") { aHeaders["Content-Type"] = "*/*"; } // Add the headers to the request req.setHeaders(aHeaders);Further InformationREST-API Documentation: Welcome to the BOC Developer Portal | BOC Developer Portal Related articles REST-API Connection Troubleshooting Enabling REST when using SSO with IDM How to fix REST status codes 401 and 500? Database Creation Guides REST-API: Basic Authentication vs. OAuth 2.0