Hi All,
We are Integrating the Datorama salesforce application with Saviynt. In this, THe have asked us to follow the below three steps.
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Step 1:
Create an API Service Account in Marketing Cloud Intelligence
You can create an API service account from your profile if you have API access. The client ID and private key are valid for 24 months.
REQUIRED USER PERMISSIONS
USER PERMISSIONS NEEDED
To create an API service account: User with Enable API Access
To the right of the navigation bar, click the dropdown arrow, and click your name to access your profile settings.
To create an API service account, next to API Access Token, click Generate/Refresh.
api_token_button
The API service account’s details are download in a text file locally on your machine. Store this file securely.
Note
NOTE Generate/Refresh generates the new API service account details. It does not generate the Access Token. The old string tokens are a separate entity and will remain supported until their deprecation date.
The downloaded file looks like this:
api_token_sample
The token provides this information:
serviceAccountId—Represents your client ID that you use to generate an access token.
privateKey—Your RSA private key you use to sign your private key JWT (JSON Web Token).
discoveryEndpoint—Use this URL to retrieve the access token generation endpoint and the issuer address.
Step 2:
Generate a JSON Web Token (JWT)
To obtain an access token, you need to generate a JWT with specific claims, and sign it using the RS256 algorithm with your private key.
REQUIRED USER PERMISSIONS
USER PERMISSIONS NEEDED
To generate an API token: User with Enable API Access
Step: 1 Get the token request endpoint URL
You first need to get the token request endpoint URL.
Insert the discoveryEndpoint URL you obtained when generating the API token in Intelligence into your browser’s search bar.
Press Enter.
Copy the returned value for the field “token_endpoint”.
Example for AWS US (aka US1):
Example
EXAMPLE
"token_endpoint": "https://XXXXXX.com/us1/token"
Step 2: Sign the JWT
In order to sign the JWT, you must use the private key provided when generating the API Token in Intelligence to encode the payload.
Using Python the necessary modules we need are:
import jwt
import requests
import uuid
import time
from cryptography.hazmat.primitives import serialization
from cryptography.hazmat.backends import default_backend
The Intelligence platform supports the JWT module - jwt 1.3.1
The JWT needs to be generated with specific claims and signed using the RS256 algorithm with your private key.
JWT Claims (payload):
{
"iss": "your-client-id",
"aud": "https://XXXXXXXXXXXXXXXXXXX.com"",
"sub": "your-client-id",
"iat": 1690129371, (time when the token was issued)
"jti": "45911cd010b846f9810b150c969b0007"
}
"iss" and "sub": Equivalent to the serviceAccountId
"iat": Epoch time in seconds.
"jti": a random UUID without "-".
Example of JWT
# env can be us1 / us2 / eu1 / eu2
app = 'us1'
service_account_id = ''
private_key_str = '''-----BEGIN RSA PRIVATE KEY-----\nMIIEogI....REDACTED.....xweWOhhutft/sA=\n-----END RSA PRIVATE
KEY-----'''
private_key = serialization.load_pem_private_key(
private_key_str.encode(),
password=None,
backend=default_backend()
)
private_key_jwk = jwt.jwk_from_pem(private_key_str.encode())
payload = {
"iss": service_account_id,
"aud": "https://XXXXXXXXXXXXXXXX.com"",
"sub": service_account_id,
"iat": int(time.time()),
"jti": str(uuid.uuid4()).replace('-','')
}
jwt_object = jwt.JWT()
jwt_token = jwt_object.encode(payload, private_key_jwk, alg='RS256')
Step 3: Use the JWT to obtain a Platform Token
The Token Endpoint is available in the discoveryEndpoint URL obtained from your API client information.
Note
NOTE The endpoint used in the example of AWS US instance may change.
"token_endpoint": "https://XXXXXXXXXXXX.com/us1/token""
Request Parameters
PARAMETER TYPE DESCRIPTION
client_id string Your client ID (serviceAccountId).
client_assertion string Your JWT
client_assertion_type string The type of client assertion. (Fixed value: 'urn:ietf:params:oauth:client-assertion-type:jwt-bearer')
grant_type string The grant type. (Fixed value: 'client_credentials')
Request structure
[token_endpoint_obtained_from_the_beginning_of_Step_2]?grant_type=client_credentials&client_assertion=[your_signed_jwt_token]&client_id=[your_client_id]&client_assertion_type=urn:ietf:params:oauth:client-assertion-type:jwt-bearer
Example Response
{
"access_token": "eyJraWQ...",
"expires_in": 300
}
“access_token”—The issued access token you use to make API calls.
“expires_in”—The access token life time is 5 minutes (300 seconds).
Step 3:
Use the Access Token
After you have obtained the access token from the token request response, you can use it to make authenticated API calls to other endpoints.
As an example, let's use the access token to make a POST request to get your user details:
POST https://app.XXXXXXX.com/services/admin/user/find/{user_id}
You should add an Authorization Header:
Authorization: Bearer [your access token]
Replace [your access token] with the actual access token obtained from the token request response (field: “access_token”).
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
And we completed the step 1 from the Datorama UI. And we need to know, from where we can achieve this Step2.
Can some on help us on this.
THanks,
Sankar.
