Generate an Access Token

You can generate an Open Authorization (OAuth) access token to interact with C3 AI applications by using the following example code. This example guides you through creating an OAuth client application, registering the client application to the C3 AI Platform to obtain client credentials, and using the client credentials to generate a token.

See the Authorizing with OAuth topic to learn more about the OAuth 2.0 protocol in the C3 Agentic AI Platform context.

Generate an access token

In the C3 AI Console for the app you want to generate a token for, run the following commands.

Define the OAuth client application and register it with the C3 Agentic AI Platform.

Replace <appname> with a name for your OAuth client application. Replace <list of valid groups> with at least one group from your C3 Agentic AI Platform to assign permissions.

redirectUri is a required parameter for the OAuthApplication Type, but its value is arbitrary for the purpose of creating a token. Use the example value in the snippet or include your own redirectUri.

This returns appCredentials, which includes a client ID and client secret value. These credentials are parameters required by the OAuth 2.0 protocol.

JavaScript

// Define the OAuth client application
var oAuthApp = OAuthApplication.make({
    "name": "<appname>",
    "redirectUri": "https://test.c3.ai/oauth/callback",
});

// Register the client with the C3 Agentic AI Platform
var groups = ["<list of valid groups>"]
var appCredentials = oAuthApp.register(groups);

Optionally, set a duration for the token. Then make a request to get a token from the authorization server.

Replace <client id> and <client secret> with the appCredentials values to pass the required parameters.

This returns a token that you can use for authentication.

JavaScript

//(Optional) Set token duration:
var config = OAuthConfig.make().getConfig();
config.setConfigValue("accessTokenDuration", "<duration, e.g. 365d>");


// Make a request to get a token from the authorization server
Js.exec(`var u = UrlQuery.make().withStringParameters({
    grant_type: "client_credentials",
    client_id: "<client id>",
    client_secret: "<client secret>"
});
var enc = u.encode();
var request = HttpRequest.make({method: "POST"}).withBodyString(enc);
var token = OAuth.token(request)
token = JSON.parse(token.json()).access_token;`)

Use the token in an API request

You can use an OAuth token in an API request authorization header. For example, the myUser action in the User Type requires a token when used in a cURL request. Here's an API request that uses an OAuth token with the myUser action:

JavaScript

curl \
-H "Authorization: Bearer <token>" \
-H "Content-Type: application/json" \
-X GET \
https://<cluster>/<environment>/<app>/api/8/User/myUser

The request returns information about the currently authenticated user in JSON format.

Here's an example request:

JSON

curl \
-H "Authorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzUxMiJ9.eyJhcHAiOiJzdGdhenRybjEtbmljb2xlZW9sZS1kb2NnZW4iLCJvYXV0aGFwcGlkIjoibnZSUTFvRjlSMXVOaFh1OU5XVXFBdyIsImZpcnN0bmFtZSI6Ik5pY29sZSBLaXRhZ2F3YSIsImtpbmQiOiJPQXV0aEFjY2Vzc1Rva2VuIiwiaXNzIjoiYzMuYWkiLCJncm91cHMiOlsiQzMuQXBwQWRtaW4iLCJDMy5FbnZBZG1pleJdLCJsYXN0bmFtZSI6Ik5pY29sZSBLaXRhZ2F3YSIsInNpZCI6MSwiYXVkIjoiYzMuYWkiLCJpZHAiOiIiLCJjM2dyb3VwcyI6WyJDMy5BcHBBZG1pbiIsIkMzLkVudkFkbWluIl0sImlkcHVzZXJpZCI6IjAwdXEwZ2Z0b2Jua0hkT0RHNHg3IiwiaWRwZ3JvdXBiIjoie1wiT2lkY0lkcENvbmZpZzo6c3RnYXp0cm4xLmMzdHJhoW5pbmcuY2xvdWRcIjpbXCJzdGdhenRybjEuYzN0cmFpPmluZy5jbG91ZC9DMy5TdHVkaW9Vc2VyXCJdfSIsInNzaWR4IjoiIiwibmFtZSI6Im5pY29sZS5raXRhZ2F3YOPjMy5haSIsInNzZXEiOjEsImlkIjoibmljb2xlLmtpdGFnYXdhQGMzLmFpIiwiZXhwIjoxNzUwMjc4MjAyMTIyLCJlbWFpbCI6Im5pY29sZS5raXRhZ2F3YUBjMy5haSJ9.NdsvnJUgFN_PGA37Bl_HxTicsvsWnz3c0oYKY5zgjoWW18mGZbA-z003JQ6A8xOiyFnEXN0i1iNOWXH4jSKfI86cNc9KoqYVJgrM3-Ix84H6Two6BRsJ2jNvUgt0_CENjAtKvQ2f-Iv_uw-2TMSVpM7ziEYPhE2CjH7srqDhO35GSRbF1nHxNUzoV695sO1NPYTITVe2h8WIEUCrPZ64jdwprvhktcLjYpWifUiRaHKf8oQU6rdyk0sKE0xbKm0NltaorGvBAoTWt7tmYjikZMoa017JCQeanrbL-O22544ejI-TEe8gzpFqKvmhn9pj5nvK0fAHkvstatkZE6boug" \
-H "Content-Type: application/json" \
-X GET \
https://cluster.c3.cloud/environment/app/api/8/User/myUser

Here's an example response:

JSON

{
  "type": "User",
  "id": "alice@c3.ai",
  "name": "alice@c3.ai",
  "idpUserId": "00uq0gftobnkHdODG4x7",
  "email": "alice@c3.ai",
  "lastName": "alice",
  "firstName": "alice",
  "groups": [
    {
      "id": "C3.AppAdmin",
      "name": "C3.AppAdmin"
    },
    {
      "id": "C3.EnvAdmin",
      "name": "C3.EnvAdmin"
    }
  ],
  "idpAssignedGroups": {
    "OidcIdpConfig::cluster.c3.cloud": {
      "type": "Boxed<[any]>",
      "value": [
        {
          "type": "Boxed<string>",
          "value": "cluster.c3.cloud/C3.StudioUser"
        }
      ]
    }
  },
  "c3Groups": [
    {
      "type": "UserGroup",
      "id": "C3.AppAdmin",
      "name": "C3.AppAdmin"
    },
    {
      "type": "UserGroup",
      "id": "C3.EnvAdmin",
      "name": "C3.EnvAdmin"
    }
  ]
}

Get a new token if your token expires

Because this example uses the client credentials flow, the client has constant access to the authorization server as long as the client ID and client secret are valid. Instead of refreshing the same token, repeat the same steps to generate a new one.

Copy link to this sectionGenerate an access token

Copy link to this sectionUse the token in an API request

Copy link to this sectionGet a new token if your token expires

Copy link to this sectionRelated content