> Software > CommCell Configuration > Security > User Administration and Security > Users and User Groups

Access Tokens for REST APIs - Administrators

You can execute Commvault REST API requests using a service account or a user account with the corresponding access token, which is inserted in a Bearer Token header. You can use access tokens as an alternative to token-based authentication via the Authtoken request header.

Alternatively, you can use the Create access token for the user API to create an access token.

Note

End users can execute REST APIs by adding only an access token to their user account.

Access Token Scope

You can create access tokens with the following scopes:

  • All: Executes all of the Commvault REST APIs.

  • Microsoft SCIM: Executes Microsoft Azure SCIM protocol REST APIs.

  • 1-Touch recovery: Executes the following 1-Touch APIs:

    • /Client

    • /MediaAgent

    • /ClientGroup

    • /V4/ServerGroup

    • /FirewallSummary

  • Hyperscale: Executes all Hyperscale REST APIs.

  • Custom: Executes specific APIs.

Refresh Tokens

A refresh token is automatically created when you create an access token with scopes All, Custom, and Hyperscale. You must use the corresponding refresh token to renew the access token after it expires.

Access Token Validity

  • For scopes All, Custom, and Hyperscale, by default, the access tokens are valid for 30 minutes after creation for 90 days. You can renew the token multiple times until the Renewal until time. When the token expires after 30 minutes, you can renew it using the refresh token within 14 days. If you don't renew the token within 14 days, the token becomes invalid and you will not be able to use it anymore. In this case, you must add a new access token. After renewable until time, you must add a new access token when the access token expires.

  • For scopes All, Custom, and Hyperscale, you can set the Renewal until time to Forever. When the token expires after 30 minutes, you can renew it using the refresh token within 14 days. You can use the same token as long as you renew it within 14 days when the token expires. If you don't renew the token within 14 days, the token becomes invalid and you will not be able to use it anymore. In this case, you must add a new access token.

  • For scope Microsoft SCIM, the default expiration period is 30 days. The access token for this scope does not expire after every 30 minutes. You can continue to use the same access token until expiration time. After expiration time, you must add a new access token.

  • For scope 1-Touch recovery, the default expiration period is 7 days. The access token for this scope does not expire after every 30 minutes. You can continue to use the same access token until expiration time. After expiration time, you must add a new access token.

Important

Access tokens created before 11.38 are valid and will be honored until their expiry. However, you cannot edit these tokens; instead, you can delete the existing ones and create new tokens for the same purpose.

For such access tokens, on the Edit token dialog box, the following message appears:

This token was upgraded from an older format and cannot be edited.

Notifications and Authorization

Each time an access token is created or modified, an email notification is automatically sent to the user associated with that token.

Because service accounts do not have their own email addresses, notifications are sent instead to users who have User Management or Administrative Management permissions on that service account.

For enhanced security, some actions related to service accounts require dual authorization. These include:

  • Creating a service account

  • Adding or updating service account associations

  • Adding, updating, or removing user groups from a service account

×

Loading...