Managing API authentication
The API that drives BDP Console's functionality is publicly documented and available for our customers to invoke via code. All calls to it need to be properly authenticated using JSON Web Tokens (JWT) that can be acquired via the Credentials API.
Credentials UI v1โ
Previously, BDP Console was using the Password authentication flow to support machine-to-machine (m2m) applications. Under that scenario a BDP customer had to create a bot user in their account, retrieve a client ID and a client secret, and use all three to acquire a JWT. Customers who have enabled these credentials in the past will see the following panel in their Console account settings:
Legacy Snowplow BDP credentials management
This method and the respective credentials still work for those who have been using them, however we strongly advise that customers upgrade to the current iteration where the only secret to be used by m2m applications is an API key which can be exchanged for a JWT as described below.
Credentials UI v2โ
API keys generation view
It is possible to have multiple different keys, and deletion of a key is also possible. When a new API key is created, the following view shows up:
Showing a newly created API key
This is a secret, equivalent to a username and a password combined, and should be handled as such at all times. As soon as you have an API key, it is straightforward to exchange it for a JWT. If you would do that using curl, it would look as follows:
curl \
--header 'X-API-Key: <API_KEY>' \
https://console.snowplowanalytics.com/api/msc/v1/organizations/<ORGANIZATION_ID>/credentials/v2/token
You can find your organization's ID within the BDP Console URL:
The organization ID is the UUID in the first URL segment after the host.
The curl command above will return a JWT as follows:
{"accessToken":"<JWT>"}
You may then use this access token value to supply authorization headers for subsequent API requests:
curl --header 'Authorization: Bearer <JWT>'
Authenticating with v2 only required the API key secret. While this method and the respective credentials will continue to work, we strongly advise you to use v3 detailed below.
Credentials UI v3โ
The following view is available to all customers under BDP Console settings:
API keys generation view
You can create multiple API keys, and it's also possible to delete any key. When a new API key is generated, the following view will appear:
Newly created API key view
In v3, both the API key ID and API key are required. The api key functions like a combination of a username and password, and should be treated with the same level of security. Once you have an API key and key ID, exchanging it for a JWT is straightforward. For example, using curl, the process would look like this:
curl \
--header 'X-API-Key-ID: <API_KEY_ID>' \
--header 'X-API-Key: <API_KEY>' \
https://console.snowplowanalytics.com/api/msc/v1/organizations/<ORGANIZATION_ID>/credentials/v3/token
You can find your organization's ID in the BDP Console URL:
The organization ID is the UUID in the first URL segment after the host
The curl command above will return a JWT as follows:
{"accessToken":"<JWT>"}
You can then use this access token to supply authorization headers for subsequent API requests:
curl --header 'Authorization: Bearer <JWT>'