Certificate Based Token Generation

Updated 

This guide will walk you through the process of creating an access token using the JWT (JSON Web Token). This is a certificate-based token generation approach that eliminates the need to store any token while ensuring secure authentication and information exchange. This process involves using a JWT signed by a pre-registered application certificate as the refresh token, which, in turn, helps generate a new access token.

Here are the detailed steps that need to be followed for generating the certificate-based access token:

Step 1. Generate Key

Generate an environment-specific key. For more information, refer to the Getting Started guide for the detailed steps. 

Step 2. Generate Authentication Token

Once you have the key, the next step involves generating an authentication token. For more information, refer to OAuth 2.0 for Customers guide for the detailed steps. 

Step 3. Generate X509 Certificate

This step involves generating X509 Certificate, which will provide:

  • A server.key file to authorize your organization with the auth:jwt:grant command.

  • A server.crt file to create the connected app required by the JWT bearer flow.

Here’s how to generate the X509 Certificate:

  1. Generate a private key, and store it in a file called server.key.

    openssl genrsa -des3 -passout pass:SomePassword -out server.pass.key 2048 openssl rsa -passin pass:SomePassword -in server.pass.key -out server.key

    You can delete the server.pass.key file because you no longer need it.

  2. Generate a certificate signing request using the server.key file. Store the certificate signing request in a file called server.csr. Enter information about your company when prompted.

    openssl req -new -key server.key -out server.csr

  3. Generate a self-signed digital certificate from the server.key and server.csr files. Store the certificate in a file called server.crt.

    openssl x509 -req -sha256 -days 365 -in server.csr -signkey server.key -out server.crt

  4. Generate the key in .der format from .key(.der key will be used in step 4 Java Code)

    openssl pkcs8 -topk8 -inform PEM -outform DER -in server.key -out server.der -nocrypt

Step 4. Generate JWT Token

This step involves generating a JWT Token that needs to be used as the refresh token in the authentication process. 

Note

The generated JWT Token should not be cached/stored by the user in any way. The user should generate this new JWT Token each time to get a new access token.

Must-know conventions:
{iss} : issuer - App ID (generated using step 5)

{sub}: subject - Sprinklr’s instance login username

{aud}: audience - https://www.sprinklr.com/ 

Step 5: App Registration

This step involves executing an API call for app registration. The API details are mentioned as follows: 

Method Type POST

API Endpoint https://api2.sprinklr.com/{{env}}/api/bdi/app/register

Headers

Key

Value

Description

Authorization

Bearer {{token}}

Credential used by the API to authenticate a user with the server For generating authorization token, refer to Authorize section on the developer portal.

X-API-KEY

api-key

API key helps authenticate the application with the server For generating API key, refer to Getting Started guide.

Content-Type

application/json

Content-Type is a representation header that determines the type of data (media/resource) present in the request body.

Request Parmeters

Parameter

Required/Optional

Description

Type

X509 certificate(server.crt)

Required

This is the digital certification. You upload this file when you create the connected app required by the JWT bearer flow.

The JWT token uses a public/private key pair in the form of a X.509 certificate for signing.

String

Request - Example


Response - Example