It's crucial to grasp the context of the domain and tenant in every request.
This understanding is key to navigating the system effectively. For a comprehensive
understanding, please refer to the
Regions, domains and tenants from the User Guidelines.
Token Authentication (V1)
Once a user is authenticated, a token is generated for authorisation and access to a NebularStack environment. A token can have a variable life span; however, the default expiry value is one hour. The recommended expiry value is set to a low value that allows enough time to complete tasks.
In short, NebularStack uses JWT (JSON Web tokens), which is the proposed Internet standard for creating data with optional signature and/or optional encryption whose payload holds JSON that asserts some number of claims. The claims in our case would be role assignments and the current scoped domain and tenant. The tokens are signed using certificates. Any tampering with the token would invalidate it.
Using token authentication, you have un-scoped and scoped tokens. Scoped means the token
has been generated for a specific domain or domain and tenant. Based on the roles assigned
to the authenticated user for the domain and tenant, those roles are set within the token.
Tokens can be renewed anytime and re-scoped to another domain and tenant. During the
re-scope or renewal, a newly updated token is provided. If your token is scoped to a
domain and not within a tenant with sufficient roles to perform desired actions on all
relevant tenants, you only need to use the X-Tenant-ID header on any requests in that
domain to set the tenant-id for the request.
Token Authentication (V2)
In the same manner as the /v1/token API resource, /v2/token utilises JWTs (JSON Web Tokens).
During a successful authentication, both an authentication token and a refresh token are generated and returned in the authentication response.
Refresh tokens are used either to rescope an existing authentication token or to renew an expired authentication token. Refresh tokens are valid for 30 days, this lifetime is reset to 30 days when a refresh token is used to renew an expired authentication token, rescope an existing authentication token or a re-authentication occurs. A new refresh token will only be generated if the previous refresh token has expired.
Authentication tokens are used for authorisation and access to the NebularStack environment, by providing said token in the X-Auth-Token HTTP header when making HTTP requests to NebularStack. Authentication tokens are valid for 1 hour, after which a new token must be generated (either by re-authenticating, or renewing said token). An authentication token can be scoped to either a domain alone or both a domain and a tenant, furthermore an authentication token can be renewed or rescoped at anytime. Authentication tokens can be rescoped using either a refresh token or the authenticating users password. If a token is scoped to a domain and not within a tenant with sufficient roles to perform desired actions on all relevant tenants, one need only use the X-Tenant-ID header on requests in that domain to specify the tenant-id for said request.
An authentication token's type can be either "standard" or "minimal".
Standard authentication tokens contain all the roles assigned to the authenticating user, providing access as specified by the user's assigned roles on NebularStack. Additionally, an OTP must be provided when attempting to obtain a standard authentication token if the authenticating user has MFA enabled.
Minimal authentication tokens do not contain any roles, regardless of what roles are assigned to the authenticating user. These tokens provide only limited access to NebularStack, namely to API resources that do not require specific roles. Additionally, an OTP will never be required when attempting to obtain a minimal authentication token, even if the authenticating user has MFA enabled.
When renewing or rescoping an authentication token, the type of the authentication token will remain unchanged. Refreshing a standard authentication token will always yield a standard authentication token, while rescoping a minimal authentication token will always yield a minimal authentication token.
Almost all requests require a X-Auth-Token header to any service endpoint.
POST
/v1/token
(identity)
Authenticate and obtain valid token (V1).
Service identity
Tokens expire after 1 hour by default and can be renewed by doing PUT action on /v1/token, to get another extended token. Tokens are scoped to specific levels of access and restricted to only access the domain and tenant they are scoped for.
During authentication token is scoped by default to no tenant and domain unless specified. There is one exception if the user has no global roles and customer role he will be scoped to one tenant by default.
You can provide the "domain" parameter in the request to scope the token to that specific domain on authentication. The "user_domain" parameter is used to identify in which domain the user is located for authentication purposes. If no "user_domain" parameter is provided, the "domain" parameter will be assumed for the user domain. If no "domain" parameter is provided but a “user_domain” parameter is provided the token will be un-scoped.
Request Parameters
Name
In
Type
Description
MUST include
X-Timezone
header
string
Timezone for response datetime property values. (default UTC)
token expiration time in seconds since unix epoch.
name
body
string
user name field value.
roles
body
string
list of assigned user roles to token.
token
body
string
token to be used for further requests.
user_domain
body
string
domain in which user resides.
user_id
body
string
internal UUID of user account.
username
body
string
login username.
Response Example
{"user_id":"c31a8f26-26e2-11ee-8506-af6e8a7f3a67","metadata":{"name":"Test User Name","system":false},"username":"test@example.com","user_domain":"example.com","domain":"example","exp":1689849985,"roles":["Root"],"token":"TOKEN_FOR_X-AUTH-TOKEN_HEADER"}
POST
/v2/token
(identity)
Authenticate and obtain valid token (V2).
Service identity
Authentication tokens expire after 1 hour, and can be renewed by performing an HTTP PUT request to /v2/token using either the refresh_token obtained when authenticating, or the authenticating users password.
Authentication tokens are scoped to specific levels of access and restricted to only access the domain and tenant they are scoped to.
During authentication, the returned authentication token will be scoped to the provided domain and tenant_id. If no domain is provided, the authentication token will be scoped to the provided user_domain. If no user_domain is provided, the returned authentication token will be scoped to the provided domain. Either the domain or user_domain MUST be provided when authenticating. If no tenant_id is provided, the returned authentication token will not be scoped to a tenant.
When authenticating using the token type set to "minimal", an OTP will not be required if MFA is enabled for the user in question. Additionally, when using the "minimal" token type the authenticating user will not be assigned any roles whatsoever. The "minimal" token type is intended for accessing API resources that are not role-specific.
If an authenticating user has no roles assigned under the domain in which they exist, the user will be scoped to one tenant by default when requesting a standard authentication token. This does not apply when requesting a minimal authentication token.
Request Parameters
Name
In
Type
Description
MUST include
X-Timezone
header
string
Timezone for response datetime property values. (default UTC)
credentials
body
object
Credentials.
X
credentials.otp
body
string
required only if MFA is enabled on the authenticating user and the "type" is set to "standard".
credentials.password
body
string
Credentials Password.
X
domain
body
string
optional Domain to scope authentication token domain context.
method
body
string
the authentication method, must be set to the value "password" for obtaining a new token, regardless of type.
X
tenant_id
body
string
valid tenant_id to scope authentication token tenant context.
type
body
string
the type of the returned authentication token, either "standard" or "minimal".
It is necessary to update a token to change context, when working with an unscoped token.
PATCH
/v1/token
(identity)
Scope token to specific domain (V1).
Service identity
You can scope token to a specific domain and tenant or only to a specific domain. The tenant_id parameter can be left out or set to null.
The context and authorisation roles are stored inside the token. You, however, can not scope a scoped token from one context to another context.
It would be a good idea to keep the relevant un-scoped token and use that to switch and generate new tokens using the below API call.
Request Parameters
Name
In
Type
Description
MUST include
X-Auth-Token
header
string
Valid Authentication Token. Please see developers documentation/identity.
X
X-Timezone
header
string
Timezone for response datetime property values. (default UTC)
domain
body
string
valid domain to scope token domain context.
tenant_id
body
string
valid tenant_id to scope token tenant context.
Request Example
{"domain":"{domain}","tenant_id":"{tenant_id}"}
Response Status Codes
Code
Meaning
200
OK
400
Bad Request
401
Unauthorized / Require Authentication
403
Forbidden / Access Denied
404
Not Found
429
Too Many Requests / Your Rate Limited
500, 501, 502, 503, 504
Service Unavailable
Response Properties
Name
In
Type
Description
domain
body
string
currently scoped domain for token.
exp
body
integer
token expiration time in seconds since unix epoch.
name
body
string
user name field value.
roles
body
string
list of assigned user roles to token.
token
body
string
token to be used for further requests.
user_domain
body
string
domain in which user resides.
user_id
body
string
internal UUID of user account.
username
body
string
login username.
Response Example
{"user_id":"c31a8f26-26e2-11ee-8506-af6e8a7f3a67","metadata":{"name":"Test User Name","system":false},"username":"test@example.com","user_domain":"example.com","domain":"example","exp":1689849985,"roles":["Root"],"token":"TOKEN_FOR_X-AUTH-TOKEN_HEADER"}
PATCH
/v2/token
(identity)
Scope token to specific domain (V2).
Service identity
An existing authentication token can be scoped to a specific domain and tenant, or only a domain. The context and authorisation roles are stored within the token.
When scoping a "minimal" authentication token, the returned token will also be a "minimal" authentication token. When scoping a "standard" authentication token, the returned token will also be a "standard" authentication token.
Request Parameters
Name
In
Type
Description
MUST include
X-Timezone
header
string
Timezone for response datetime property values. (default UTC)
credentials
body
object
Credentials.
X
credentials.password
body
string
required if only if "method" is set to "password".
credentials.token
body
string
the refresh_token obtained when originally authenticating. Required only if "method" is set to "refresh_token"
domain
body
string
valid domain to scope authentication token domain context.
method
body
string
the authentication method, can be set to either "password" or "refresh_token"
X
tenant_id
body
string
valid tenant_id to scope authentication token tenant context.
user_domain
body
string
parent domain for the authenticating user account.
Before a token expires, you can make the below request to receive a new token that will expire in 1 hour.
Request Parameters
Name
In
Type
Description
MUST include
X-Auth-Token
header
string
Valid Authentication Token. Please see developers documentation/identity.
X
X-Timezone
header
string
Timezone for response datetime property values. (default UTC)
Response Status Codes
Code
Meaning
200
OK
400
Bad Request
401
Unauthorized / Require Authentication
403
Forbidden / Access Denied
429
Too Many Requests / Your Rate Limited
500, 501, 502, 503, 504
Service Unavailable
Response Properties
Name
In
Type
Description
domain
body
string
currently scoped domain for token.
exp
body
integer
token expiration time in seconds since unix epoch.
name
body
string
user name field value.
roles
body
string
list of assigned user roles to token.
token
body
string
token to be used for further requests.
user_domain
body
string
domain in which user resides.
user_id
body
string
internal UUID of user account.
username
body
string
login username.
Response Example
{"user_id":"c31a8f26-26e2-11ee-8506-af6e8a7f3a67","metadata":{"name":"Test User Name","system":false},"username":"test@example.com","user_domain":"example.com","domain":"example","exp":1689849985,"roles":["Root"],"token":"TOKEN_FOR_X-AUTH-TOKEN_HEADER"}
PUT
/v2/token
(identity)
Renew token (V2).
Service identity
After an authentication token has expired, a request can be made to retrieve a renewed authentication token. This can be done by either using the "refresh_token" provided when originally authenticating, or providing the user in question's password.
The renewed authentication token will expire in 1 hour.
Request Parameters
Name
In
Type
Description
MUST include
X-Timezone
header
string
Timezone for response datetime property values. (default UTC)
credentials
body
object
Credentials.
X
credentials.password
body
string
required only if "method" is set to "password".
credentials.token
body
string
the refresh_token obtained when originally authenticating, required only if "method" is set to "refresh_token".
domain
body
string
valid domain to scope authentication token domain context.
method
body
string
the authentication method, can be set to either "password" or "refresh_token".
X
tenant_id
body
string
valid tenant_id to scope authentication token tenant context.
user_domain
body
string
parent Domain for the authenticating user account.
