References → Public API v2

Overview

The second version of Incorta public API (Public API v2) is available starting the 2023.4.0 release. This release introduces seamless authentication, facilitating the generation of access tokens for Public API v2. The level of data access through the public API is determined by the user account that generated the API access token.

Note

Starting with the 2023.4.0 release, users can use either a personal access token (PAT) that they create by using the Profile Manager or a Java Web Token (JWT) generated using a user-configured OAuth 2.0 authorization server. The system supports using only one method of authentication at a time.

This document is dedicated to users who use an Incorta release starting 2023.4.0. For details on how to have access to Incorta public API on older releases, refer to References → Public API v1.

This document assumes that the developer user has a general understanding of RESTful APIs and how to access the public API v2 endpoints.

Acquiring public API access

The following is an outline of the steps required to get started with Public API v2:

Enable public API access

As the Incorta Super User or a user with the SuperRole, you enable the users' ability to access Incorta public API. When granted permission to access the public API, each user will receive an email notification at the corresponding user email. The user account will need to have logged in at least once to receive an email notification.

In regard to personal access tokens (PATs), each user can create and maintain up to 10 active access tokens and set an expiration date for each token. The user can also revoke any access token. The user or any third-party application can't use a revoked access token when using the API endpoints.

Note

Any user or user group with the SuperRole will always have the ability to access the public API. This functionality can't be disabled.

The following are three methods available for enabling API access:

Enable public API access for multiple users

Here are the steps to enable API access for multiple users:

  • As an Incorta Super User or a user with the SuperRole, sign in to the Incorta Direct Data Platform™.
  • In the Navigation bar, select Security.
  • In the Action bar, select Users.
  • Select the checkbox next to each user for which you would like to enable public API access.
  • From the more option menu (kebab icon), select Enable Public API.

Enable public API access by user groups

Here are the steps to enable public API access for user groups:

  • As an Incorta Super User or a user with the SuperRole, sign in to the Incorta Direct Data Platform™.
  • In the Navigation bar, select Security.
  • In the Action bar, select Groups.
  • Select the checkbox next to each group for which you would like to enable public API access.
  • From the more option menu (kebab icon), select Enable Public API.

Enable public API access for individual users

Here are the steps to enable public API access for individual users:

  • As an Incorta Super User or a user with the SuperRole, sign in to the Incorta Direct Data Platform™.
  • In the Navigation bar, select Security.
  • In the Action bar, select Users.
  • Select the checkbox next to the user for which you would like to enable public API access.
  • Select Edit (pen icon) in the upper right corner of the Security page.
  • In the Edit User drawer, select the Security tab.
  • In the Developer Tool section, toggle Enable Public API.

Create an API access token

There are two ways to acquire an access token, through Incorta personal access token (PAT) and OAuth 2.0.

Note

Incorta PAT is the default authentication method.

Create access token using Incorta

As a developer user, once you have public API access enabled for your user account, you can create and maintain up to 10 active access tokens and set an expiration date for each token. API access tokens identify and authenticate the corresponding user account when using the API endpoints.

Here are the steps for a user to create an API access token:

  • As the user that wants to generate an API access token, sign in to the Incorta Direct Data Platform™.
  • Select profile (person icon) in the top right corner of the Navigation bar.
  • Select your username to open your profile.
  • In the Edit User drawer, select the Security tab.
  • In the API Tokens section, select Create Personal Access Token.
  • In the Create New API Token dialog,
  • Enter a name for the access token.
  • Specify the expiration date. You can select from predefined periods: 7 days, 30 days, or 90 days, or you can select Select expiry date and specify a custom expiry date. You can also set the validity of the access token to Never Expire.
  • Select Create.
  • Make sure to copy the generated access token and keep it as you can't see it again once you close the dialog.
  • Select Close

Create access token using OAuth 2.0

You must enable the OAuth 2.0 for Public APIs Authentication option in the CMC and have your own configured authorization server.

You should still enable the public APIs for the designated users so they can use the APIs.

Use the following steps to configure your authorization server, knowing that each identity provider (IDP) has a different way of configuration:

  • Configure Incorta on your IDP (authorization server).

  • The following claim must be identified in a generated access token, knowing that namespace is https://incorta.com:

    • namespace/email, where email is the configured loginName of the user

      For example:

      exports.onExecutePostLogin = async (event, api) => {
      // This adds the authenticated user's email address to the access token.
      if (event.authorization) {
      const namespace = 'https://incorta.com';
      api.accessToken.setCustomClaim(`${namespace}/email`, event.user.email);
      }
      };
      Note

      In 2023.4.0 and 2023.4.1 releases, you must identify another claim: namespace/tenant, where tenant is the user tenant name in Incorta.

      For example: api.accessToken.setCustomClaim(`${namespace}/tenant`, 'default');

  • Add your configured IDP URL in the CMC after enabling OAuth 2.0 for Public APIs Authentication.

When enabling using OAuth 2.0

It is important to note the following when you enable OAuth 2.0 as your authentication method:

  • You can only consume OAuth 2.0 tokens with Public APIs v2.
  • Any configured scripts using PAT will not work and you must update your scripts accordingly.

When disabling using OAuth 2.0

It is important to note that when you disable OAuth 2.0, any scripts using PAT keys will behave in their old manner if the PAT has not expired.

Revoke a personal access token

You can revoke any personal access token. When you revoke an access token, you can't undo this action as the access token is removed from the list.

Important

You or any third-party program can't use a revoked access token when using the API endpoints. Any program using a revoked personal access token will need to be updated with a valid API access token to maintain functionality.

Here are the steps to revoke a personal access token:

  • Sign in to the Incorta Direct Data Platform™.
  • Select profile (person icon) in the top right corner of the Navigation bar.
  • Select your username to open your profile.
  • In the Edit User drawer, select the Security tab.
  • In the API Tokens section, for the row of the access token you want to revoke, select Revoke.
  • In the dialog, select Yes, revoke.

Public API v2 endpoints

Note

All Incorta API endpoint’s timestamp values in both request and response payloads use the unix epoch timestamp in milliseconds.

You can access the Incorta public API v2 user interface for your Incorta instance at the following URL:

https://<cluster_URL>/incorta/api?urls.primaryName=v2
Note

You must use the HTTPS scheme to be able to successfully run the API endpoints. Additionally, you must specify the tenant name (case-sensitive) in the endpoint request URL starting with the 2023.7.0 release.

The Base URL of all the Public API v2 endpoints is: /incorta/api/v2.

The following are the available endpoints in Public API v2: