REST-API Token based authentication October 24, 2024 11:58 Updated Token based authentication is one of the 4 ways available to use in context of REST-API. Other than token, you can user basic auth, OAuth2.0 and JSON Web Token. For an overview, please consult REST-API Authentication. Token-based authentication is a proprietary method developed by BOC Group that enables user access to the REST API using a token instead of a username and password. This process includes sending a security hash generated from the client’s public identifier, the client’s secret key, a GUID, a request timestamp, and the parameters associated with the request. This approach helps prevent unauthorized access to the API and mitigates issues related to repeated transmissions and abuse of requests. This authentication method is available for Java client applications only This guide will demonstrate a simple authentication and REST-API (get model) call between an BOC Management Office Product and the exemplary third-party REST-API Tool Bruno, but can be easily adapted to your specific needs. The provided example, will not work for every query and should only provide a starting point for further use. Prerequisites Please make sure, that token based authentication is configured correctly in your BOC Management Office Product: ADONIS / ADOGRC 16.0 and up REST-API Settings | ADONIS ADONIS / ADOGRC 15.0 and below REST-API Settings | ADONIS ADOIT 17.0 and up REST-API Settings | ADOIT ADOIT 17.0 and below REST-API Settings | ADOIT In Bruno, define your variables SECRET and IDENTIFIER as environment variables. Example Repository read API: GET {URL}/rest/4.0/repos/{repo_id}/models/{model_id} Pre Request Script: const CryptoJS = require("crypto-js")let uuid = require("uuid");// Fetch the SECRET and IDENTIFIER from Postman variableslet REST_SECRET = bru.getEnvVar("SECRET");let REST_IDENTIFIER = bru.getEnvVar("IDENTIFIER");// Define static headers for the requestlet aHeaders = {"x-axw-rest-identifier": REST_IDENTIFIER,"x-axw-rest-guid": uuid.v4(),"x-axw-rest-timestamp": Date.now().toString(),};// Put the header and query object keys and values in an array and add the SECRETlet aRESTTokenCollection = [...Object.keys(aHeaders),...Object.values(aHeaders),REST_SECRET,];// Put query parameters into the tokenreq.getUrl((queryParam) =>aRESTTokenCollection.push(queryParam.key,decodeURIComponent(queryParam.value)));// Sort by locale "en-US"aRESTTokenCollection.sort((a, b) => a.localeCompare(b, "en-US"));// Create HMAC-SHA512 signature from the stringified collectionlet aRESTToken = CryptoJS.HmacSHA512(aRESTTokenCollection.join(""),REST_SECRET);// Encode the signature and add it as token to the headersaHeaders["x-axw-rest-token"] = aRESTToken.toString(CryptoJS.enc.Base64);// if it's a post/patch method add the application/json headerif (req.getMethod == "POST" || req.getMethod == "PATCH") {aHeaders["Content-Type"] = "application/json";}//if it's a put method add the */* headerif (req.getMethod == "PUT") {aHeaders["Content-Type"] = "*/*";}// Add the headers to the request req.setHeaders(aHeaders); Further Information REST-API Documentation: Welcome to the BOC Developer Portal | BOC Developer Portal Related articles How do I place a support request? Maximum number of users reached Enabling REST when using SSO with IDM How do I create a custom Excel Import template? How do I create an SQL Server database backup?