Authenticate with admin APIs

Note: The content on this page has been altered to redact confidential work information. 🧋

Admin APIs allow you to access and configure Bubble Tea Services as an administrator. To authenticate admin APIs, you must create and use service accounts.

Create a service account

To create a service account, follow these steps:

  1. In the Bubble Tea Dashboard, go to Projects > Service accounts.

  2. Select Create service account to create a new account.

  3. In the Keys section, select Create key to generate a key ID and a secret key.

  4. Add a role to your service account to allow access to API endpoints.

    • Select Add organization role to grant access to organization-level data that applies to all projects in your organization.

    • Select Add project role to grant access to project-level data that applies to individual projects.

You can now use either your service account credentials or a stateless authentication token to authenticate and call an API.

Authenticate an API using service account credentials

To authenticate an API using your service account credentials, open a terminal and enter the following authorization HTTP header:

curl -H "Authorization: Basic <SERVICE_ACCOUNT_CREDENTIALS>" \
https://services.api.bubbletea.com/<ENDPOINT>

Base64 uses the key ID and secret key you generated when you created a service account to encode the string <KEY_ID>:<SECRET_KEY> and create the <SERVICE_ACCOUNT_CREDENTIALS>.

For example, if your key ID is 7e0f1152-e0dd-4b14-8e37-04cab07efeb0 and your secret key is NKxoRp2m2w3e9gzJfssNQnTfypFgtJn7, your header will be 7e0f1152-e0dd-4b14-8e37-04cab07efeb0:NKxoRp2m2w3e9gzJfssNQnTfypFgtJn7.

Authenticate an API using a stateless token

To authenticate an API using a stateless token, follow these steps:

  1. Call the Token Exchange API. Make sure to send your key ID and your secret key as the authorization in the request.

curl -X POST -H "Authorization: Basic N2UwZjExNTItZTBkZC00YjE0LThlMzctMDRjYWIwN2VmZWIwOk5LeG9ScDJtMnczZTlnekpmc3NOUW5UZnlwRmd0Sm43" 
https://services.api.bubbletea.com/auth/v1/token-exchange?projectId=<PROJECT_ID>&environmentId=<ENVIRONMENT_ID>

As a response, you receive an accessToken.

{
  "accessToken": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpYXQiOjE1MTYyMzkwMjJ9.tbDepxpstvGdW8TC3G8zg4B6rUYAOvfzdceoH48wgRQ",
}

  1. Use the accessToken to call APIs in the context of the project ID and/or environment ID you specified earlier.

curl -H "Authorization: Bearer <STATELESS_ACCESS_TOKEN>" \
https://services.api.bubbletea.com/<ENDPOINT>

Refresh your stateless token

The stateless access token you receive after calling the Token Exchange API includes an exp field which determines the token's lifespan. If your token expires, you can refresh it by calling the Token Exchange API again with your original key ID and secret key.

You can generate a new token before your previous token has expired. Generating a new token doesn't invalidate your previous token.