App Authentication With Client Certificate

This method requires client key and certificate files, along with the app UUID.


// Create PKCS#12 keystore
$ openssl pkcs12 -export -in client-cert.pem -inkey client-key.pem -name "my-sdkms-app" -out client-sdkms.p12
// Above asks for password to be set. Note this password

// C# code
using System.Security.Cryptography.X509Certificates;
X509Certificate2 certificate = new X509Certificate2("client-sdkms.p12", <pkcs12-keystore-pass>);
Configuration.Default.BasePath = "<Endpoint URL>";
Configuration.Default.Username = "<App UUID>";
Configuration.Default.ApiClient.RestClient.ClientCertificates = new X509CertificateCollection() { certificate };

AuthenticationApi authenticationApi = new AuthenticationApi();
AuthResponse response = authenticationApi.Authorize();
Configuration.Default.AddApiKey("Authorization", response.AccessToken);
Configuration.Default.AddApiKeyPrefix("Authorization", "Bearer");


certFile := "client-crt.pem"
keyFile := "client-key.pem"
cert, err := tls.LoadX509KeyPair(*certFile, *keyFile)
caCertPool := x509.NewCertPool()
tlsConfig := &tls.Config{
       Certificates: []tls.Certificate{cert},
       RootCAs: caCertPool,
transport := &http.Transport{TLSClientConfig: tlsConfig}
http_client := &http.Client{Transport: transport}
ctx := context.Background()
client := sdkms.Client{
      Endpoint: "<Endpoint URL>",
      HTTPClient: &http_client,
_, err := client. AuthenticateWithUserPass(ctx, <App UUID>, "")


The client certificate and client private key must be supplied in a PKCS#12 keystore.

// Create PKCS#12 keystore
$ openssl pkcs12 -export -in client-cert.pem -inkey client-key.pem -name "my-sdkms-app" -out client-sdkms.p12

// Set the keystore in Java program
System.setProperty("", "pkcs12");
System.setProperty("", </path/to/client-sdkms.p12>);
System.setProperty("", <password of the PKCS#12 archive>);

ApiClient apiClient = new ApiClient(); apiClient.setBasePath(<Endpoint URL>); apiClient.setUsername(<App UUID>); AuthenticationApi authenticationApi = new AuthenticationApi(apiClient); AuthResponse authResponse = authenticationApi.authorize(); ApiKeyAuth bearerTokenAuth = (ApiKeyAuth) apiClient.getAuthentication("bearerToken"); bearerTokenAuth.setApiKey(authResponse.getAccessToken());


config = sdkms.v1.Configuration() = "<Endpoint URL>"
config.username = <App UUID>
config.cert_file = <client-cert.pem>
config.key_file = <client-key.pem>
client = sdkms.v1.ApiClient(configuration=config)
auth_instance = sdkms.v1.AuthenticationApi(api_client=client)
auth = auth_instance.authorize()
config.api_key['Authorization'] = auth.access_token
config.api_key_prefix['Authorization'] = 'Bearer'

REST API using curl

$ curl <Endpoint URL>/sys/v1/session/auth -X POST -u <App UUID>: --cert <client-cert.pem> --key <client-key.pem>
> {"token_type":"Bearer","expires_in":600,"access_token":"YhXwwa- 6C...L9kRxswmPZkEFQ2ig5g","entity_id":"7916b324-33a1-4a06-8778-59ec0492bb10"}
#if prompts for password, just press enter

#use the "access_token" as Bearer Auth in other API requests. E.g:
$ curl <Endpoint URL>/other_apis -H 'Authorization: Bearer YhXwwa- 6C...L9kRxswmPZkEFQ2ig5g ' --cert <client-cert.pem> --key <client-key.pem> ...
The user’s password, API key, or client certificate private key will grant access to all the keys and methods that the user or application has access to. You should protect these like other sensitive information and not store these in the scripts.


Please sign in to leave a comment.

Was this article helpful?
0 out of 0 found this helpful