Authentication is the process of validating claims of identity, and is the first half of establishing whether a user is indeed a user, and what they should have access to in CDP.
Requests to CDP are authenticated as submitted by a user with one of two mechanisms:
Once an API key or token is validated and the associated CDP user is determined, then Authorization takes place.
It is not possible to exchange one authentication type for another (use an API key to obtain a token, for example).
Tokens are the preferred authentication mechanism.
An API key is a secret that can be attached to a request sent to CDP to authorize access on behalf of a CDP service account. This key is not stored directly in a CDP database, and cannot be displayed once created with the create API Keys call.
Adding a header with the API-key as follows will allow an request to be authenticated:
$ curl -X GET \ 'https://api.cognitedata.com/login/status' \ -H 'Accept: application/json' \ -H 'api-key: VF34gvwsxGT4w32gfdvsvrwwvMInyr58ZV43HNsaef34Ofdd'
When a user logs in though a web browser, they are sent to the Identity Provider (IdP) configured for the project (an OAuth2 provider, almost always Azure AD or Google) using an authorization code grant flow (see external application integration).
The tokens can be used in a similarly to the API key:
$ curl -X GET \ curl -X GET \ 'https://api.cognitedata.com/login/status' \ -H 'Accept: application/json' \ -H 'Authorization: Bearer ewogICJhbGciOiAiUlMyNTYiLAogICJ0eXAiOiAiSldUIgp9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWUsImlhdCI6MTUxNjIzOTAyMn0.TCYt5XsITJX1CxPCT8yAV-TVkIEq_PbChOMqsLfRoPsnsgw5WEuts01mq-pQy7UJiN5mgRxD-WUcX16dUEMGlv50aqzpqh4Qktb3rk-BuQy72IFLOqV0G_zS245-kronKb78cPN25DGlcTwLtjPAYuNzVBAh4vGHSrQyHUdBBPM'
Cookies are set in a browser after a user has completed a login flow described in the token session. These should not be relied upon, and will be removed (not set by the API) shortly.
The concept of a user logging in is only relevant for cookie based authentication. The process of obtaining a token and cookie)is logging in, but the state held in the backend based on the cookie for the user is minimal.
In order to invalidate a cookie session, a request to the
/logout endpoint can be made.