Generating a service account token

Call the /security/oauth/token endpoint to generate a token for a service account.

A service account always needs a token to access Talend Cloud. In addition, this account also needs appropriate permissions to call the Talend service to be used.
This token used by service accounts is not a personal access token. It needs to be generated as explained in the following procedure.

Before you begin

Ensure that the user that issues API calls has the Service Accounts - Manage permission. The ID of this permission is TMC_SERVICE_ACCOUNT_MANAGEMENT.
You have generated a personal access token.
The service account for which you generate a token must already exist.
You have combined the ID and the secret of this service account in the following format: ID:secret and encoded this pair in a Base64 encode application of your choice. You can do this using the Expression Builder in Talend API Tester. For more information, see Adding the Authorization header.

About this task

In this section, the following API call is issued:

method: POST
endpoint: https://api.<env>.cloud.talend.com/security/oauth/token
headers: {
 "Content-Type": "application/json",
 "Authorization": "Basic <encoded_Base64_value_of_id-secret_pair>"
}
payload: {
  "audience":"https://api.<env>.cloud.talend.com",
  "grant_type":"client_credentials"
}

It is implemented in Talend API Tester for demonstration purposes.

Procedure

To generate a token, select POST from the Method list and in the field aside, enter the token endpoint to be used: https://api.<env>.cloud.talend.com/security/oauth/token
Click Add header twice to add two rows and enter the following key:value pairs:
- Content-Type : application/json
- Authorization : Basic <encoded_Base64_value_of_id-secret_pair>

In the Body area, enter the content of this call.

{
  "audience":"https://api.<env>.cloud.talend.com",
  "grant_type":"client_credentials"
}

Click Send to issue your call.
- The code 200 is returned with a token. This is the only time you see this token. Keep this token in a secret place. The service account needs this token to successfully issue API calls.
- This token expires after 30 minutes. Cache or store this token and reuse it until it expires. Then use this base64 ID:secret combination again to obtain a new token.
Save this API request and name it, for example, as Renew the SAT, so that you can reuse it to refresh the token.

Results

Your service account is now ready to be used to call Talend services.

What to do next

You need to monitor when your token expires, in either a reactive or a proactive manner.

Reactive: assume that the token is valid in every request and take action when you receive the response saying 401 unauthorized.
Proactive: once generated, a token is valid for 30 minutes. Be aware of the expiration time and renew the token accordingly.

Previous section: Creating a service account Next section: Using a service account to get users