Access Token Management
Access Token is a string that identifies a user, app, or web page and is used by the API client app to access an API. The access token provides a temporary and secure access to the APIs. This token is a "bearer token", which means the bearer of this token is granted access into the system.
An access token is required to securely make an API Request to HPE Aruba Networking Central API Gateway. Access tokens are valid for 2 hours. Once expired, you can renew the token using a Refresh Token.
New access token can be generated in two ways -
- Using API Gateway in Web UI
- Using OAuth APIs. This method can only be used by non-SSO users
Note
An Access Token expires in 2 hours. Instead of generating a new token, the expired token can be refreshed via an API call. More information on refreshing an expired access token is available in this section
Obtain Access Token (via Web UI)
New access token will be generated upon creating an application in the API Gateway as described in the previous section (Creating Application & Token).
Multiple access tokens can be created for an app. To add more access token to an app or generate a new access token, follow the steps similar to creating the API client application.
- Click on + Add Apps & Token button
- Enter the existing application name and choose application type from the drop down box.
- When existing application name is used, new access token will be generated and populated in the Token List table
The generated access token can be found in the Token List table under My Apps & Tokens (System Apps & Tokens, if admin user) under API Gateway Page.
Click the Download Token button to view the generated token. The Access Token will contain the the following details in JSON format.
- access_token: Contains access token value to be used in API requests
- refresh_token: Contains a refresh token string. Using this value in Refresh Token API, the existing access token can be refreshed to a value, instead of creating a new access token.
{
"access_token": "xxxx",
"appname": "xxx",
"authenticated_userid": "[email protected]",
"created_at": 1582847137105,
"credential_id": "xxxx",
"expires_in": 7200,
"id": "xxxx",
"refresh_token": "xxxx",
"scope": "all",
"token_type": "bearer"
}
Note
An access token can also be revoked by an admin user by clicking on the Revoke Token button. In this case, one cannot use refresh token to regain access. To obtain access again, new token needs to be created.
Refreshing an Expired Token
Access token, used for authentication API requests, are valid for 2 hours. To avoid interruptions, refresh tokens are used to obtain a new access token without full re-authentication. By securely managing refresh tokens, you can automate the renewal process via the Refresh Token API. This API should be used to before or after the access token expires to obtain a new access & refresh token pair, eliminating the need to repeat the steps required to generate a new access token from scratch.
Warning
A refresh token is valid for 14 days. After this period, the refresh token can no longer be used, and you will need to access the Central UI or use OAuth APIs to generate a new access and refresh token pair.
It's recommended to refresh an existing access token rather than creating a new one, as you can only generate a new access token every 30 minutes for the same client_id
Below are details of the Refresh API including its request and response structure. You can also try out this API directly on our Developer Hub here
API Request
API Endpoint: oauth2/token
API Method: POST
Base URL: https://apigw-prod2.central.arubanetworks.com (Replace the Base URL with correct API Gateway)
Request Header: Set the “Content-Type” as “application/json”
Request Query Params:
Key | Value |
---|---|
client_id | Unique Application ID associated with the user. |
client_secret | Unique Application secret ID associated with the user. |
refresh_token | This is the refresh token that is returned when the access token is generated. |
grant_type | refresh_token |
cURL API Request
Replace central-API-Gateway-base-URL, central-API-app-client-id, central-API-app-client-secret, and central-refresh-token with respective values
curl --request POST '<central-API-Gateway-base-URL>/oauth2/token?client_id=<central-API-app-client-id>&client_secret=<central-API-app-client-secret>&grant_type=refresh_token&refresh_token=<central-refresh-token>'
API Response
The response payload contains the access token and refresh token in JSON format. This new "access_token" should be used for further requests and "refresh_token" should be used for next token refresh.
{
"refresh_token": "xxxx",
"token_type": "bearer",
"access_token": "xxxx",
"expires_in": 7200
}
Note
For more information check out the HPE Aruba Networking Central Documentation Center .
Effectively managing access and refresh tokens ensures continuous access to Central's APIs. By using refresh tokens, you reduce the need for frequent re-authentication and align with Central's rate limits. Following best practices such as secure token storage and using the Refresh API for renewal, helps maintain a smooth workflow and reliable API access to Central for your applications.
Updated about 2 months ago