Accessing Corteza
Corteza separates the back-end business logic and the front-end user interface by defining an API that the clients (web applications and other custom applications) can access.
Corteza is API-centric, meaning that everything can be done via an API endpoint.
Authentication
Corteza uses bearer JWT tokens when authenticating HTTP requests.
JWT tokens grant access to your system, so treat them as login credentials. |
Obtaining access tokens
Before you can obtain the access token, you need to define an auth client, and a system user. You can use an existing user (such as yourself), or create a dedicated user.
Make sure that the system user has sufficient roles to be able to access resources which you wish to access. |
Create a new auth client with the client_credentials
grant type.
Insert the ID of the selected user under the "Impersonate user" (the user that we mentioned above).
Make sure that you are using Corteza 2021.3.4 or later. |
If the user’s ID is not set or is not valid, an Error: "auth client security configuration invalid"
error is returned.
curl -X POST $CORTEZA_URL/auth/oauth2/token \
-d grant_type=client_credentials \
-d scope=api \
-u <client id>:<client secret>
curl -X POST $CORTEZA_URL/auth/oauth2/token \
-d grant_type=client_credentials \
-d scope=api \
-u 229978909641277628:sMVVcYpXE6bOUm6gG0sJGKmDOzEgkYyhvKyrmcU9fGY8M4GhLd90lThZDxUUFLC9
{
"access_token": "ey...MsLA",
"expires_in": 7200,
"refresh_token_expires_in": 0,
"scope": "api",
"sub": "229974909641277121",
"token_type": "Bearer"
}
The above token expires after two hours; make sure to fetch a new one. |
Using access tokens
Each HTTP request to a protected resource must provide the bearer JWT token in the authorization
header.
{
"error": {
"message": "Unauthorized"
}
}
curl "$CORTEZA_URL" \
-H 'accept: application/json, text/plain, */*' \
-H "authorization: Bearer $JWT";
curl "$CORTEZA_URL" \
-H 'accept: application/json, text/plain, */*';
Endpoint | Other authentication methods |
---|---|
|
System generated signature. |
|
System generated signature. |
Endpoint | Other authentication methods |
---|---|
|
System generated OTT token. |
Endpoints
Each Corteza instance ships with a built-in API reference that is accessible on the /docs
endpoint of your Corteza API.
If you are using a different sub-domain for your API (two separate Docker containers for web app and API), the URL should look something like If you are using the same domain for your API (a single Docker container for web app and API), the URL should look something like |
Here we cover endpoints used for debugging and maintenance. Refer to the built-in API reference for the complete list of available endpoints. Here is the API reference for our community instance.
In addition to the API reference mentioned above, these are the system-level endpoints that need to be explicitly enabled. They can be enabled for development/debugging but should be disabled when running in production.
Option | Endpoints |
---|---|
|
|
|
|
|
|
Response data format
Corteza implements three different response formats, based on what we are trying to do and based on the status.
Error responses use the status code 200 OK, instead of the standard 4xx/5xx — legacy reasons. Our API clients cover this case and throw correct errors. |
When working with single items, the item (or its status) is provided in the response object. Example:
|
|||
When working with multiple items, the list of items is provided in the response array along with the filter object. Example:
|
|||
When an error occurs, the error message is provided under the Example:
When you enable error tracing via the Example:
|