> Software > CommCell Configuration > Security > User Administration and Security > Users and User Groups > Access Tokens for REST APIs > Configuring a Service Account

Creating an Access Token and a Refresh Token

You must create an access token for a service account to execute REST APIs. While creating an access token, you must provide a display name, expiration date or renewable period, and scope. Creating an access token for scopes All, Custom, and Hyperscale also automatically generates a refresh token, which you will need to renew the access token after it expires.

After creating an access token, you can use it in your API requests as a Bearer Token.

Important

  • You cannot create an access token for another user at the user account level.

  • An access token functions like a password.

  • If you lose the tokens, they cannot be retrieved.

  • You can add multiple tokens for the same service account.

  • You cannot create, edit, and delete an access token using another access token.

Before You Begin

You must have one of the following permission at the CommCell or company level:

  • User Management

  • Administrative Management

Procedure

  1. From the Command Center navigation pane, go to Manage > Security.

    The Security page appears.

  2. Click the Users tile.

    The Users page appears.

  3. Click the service account username.

    The user page appears.

  4. On the Access tokens tab, click Add token.

    The Add token dialog box appears.

  5. Enter the token's name, expiry date, and scope.

    By default, an access token expires after 30 minutes by default, and the scope is set to All including all api.commvault.com endpoints.

  6. To set a different scope, from the Scope list, select one of the following:

    • 1-Touch recovery: Executes the following 1-Touch APIs:

      • /Client

      • /MediaAgent

      • /ClientGroup

      • /V4/ServerGroup

      • /FirewallSummary

    • Hyperscale: Executes Hyperscale REST APIs.

    • Microsoft SCIM: Executes Microsoft Azure SCIM protocol REST APIs.

    • Custom: Executes specific APIs (for example, /Subclient).

      • Allowed endpoints: For a custom scope, specify the endpoints that you want to allow with this access token by entering each endpoint on a new line.

        For example, if you enter /plans, you can execute all plan operation REST APIs starting with /plan.

  7. To control from which IP addresses the service account must be used to execute REST APIs, do the following:

    1. Go to the IP allowlist section, click Edit.

      The Edit IP allowlist dialog box appears.

    2. Enter the IP addresses or CIDR range. You can enter the IP address in IPv4 or IPv6 format.

      Examples:

      • IPv4 format: 10.0.0.1
      • Single IPv6 format: 2001:0db8:85a3:0000:0000:8a2e:0370:7334
      • IPv4 CIDR range: 1.1.1.0/24
      • IPV6 CIDR range: 2001:0db8:85a3::/64
      • IPv4 range: 1.1.1.0 – 1.1.1.25
      • IPv6 range: 2001:db8::1 - 2001:db8::ffff

    3. Click Save.

  8. Click Submit.

    An access token and a refresh token appear.

  9. Copy and save the tokens.

  10. Click Close.

Results

  • The access token is valid for 30 minutes.

  • After thirty minutes, use the Refresh token API to refresh the token according to the following rule:

    • For scopes All, Custom, and Hyperscale, by default, you can renew the token multiple times until 90 days after creation.
×

Loading...