Service Users

An OPA Service User is used to access the OPA API. Each Service User is provided tokens used to authenticate and authorize against the service.

Issue a Service User token

Most calls to the OPA API require an HTTP Authorization header with a value of Bearer ${AUTH_TOKEN}. To retrieve an auth token, you need to create an API key for a Service User and pass the API key information to this endpoint. Auth tokens may expire at any time, so code that uses them should be prepared to handle a 401 response code by creating a new auth token.

This endpoint requires the following role: resource_admin.

Request
path Parameters
team_name
required
string

The name of your Team

Request Body schema: application/json
required
key_id
required
string <regex> (?i)^[0-9a-f]{8}-[0-9a-f]{4}-[1-5][0-9a-f]{3}...

The ID of the API key

key_secret
required
string [ 1 .. 512 ] characters

The secret associated with the API key

Responses
200

OK

post/v1/teams/{team_name}/service_token
Request samples
application/json
{
  • "key_id": "6052868b-1b04-4a14-8288-e6496d7f2f4b",
  • "key_secret": "uF0SoVBVQP/hJmQSLUZdM2a7ArYzjD8ykzvG7n4tKaOEfSErcwMUUDWpEf4Q42/HaVKPZUfILkzy/bsQFv7WRg=="
}
Response samples
application/json
{
  • "bearer_token": "eyJhbGciOiJSUzI1NiIsImtpZCI6ImI4YTAzODA0MTM0NjctNGU5OC04ZDU2LTAxNDRlNGNkMGViMCIsInR5cCI6IkpXVCJ9eeyJleHAiOjE0NzY4MTE1OTAsImlzcyI6InNjYWxlZnQuYXV0aC50b2tlbiIsImp0aSI6IjA0YjRhNTE4LWU5YzYtNDc1My05YWY4LThlOTAwNjVjNjX5YSIsInJvbGVzIjp7IjE0NzY4MTE1OTAiOm51bGx9LCJ0ZWFtIjoic2NhbGVmdCIsInVzZXIiOiJyb2JvdF9ydXNzZWxsIn0.pHuv06Q1-sKjHrGXUzQi-uM7AAG3K1Q6RyukyuR2Py6QHwLot1uZmZt4wrBo6tQRCl3RjHBKGcDmEfBZ6_gFucksFMkINTU3sIDmOvSAChopraXjfYh0KarEDmDnIMsEPl7FVhl4N_I0yLK9O5XSS07AvAc-7RRD8dupe7inDITCHEvoJ16osgL1IzoDvc7ZPDj8-xhJ_kAsKc-vJ5WYESAlCFx_fixedM43Apg2TySNE5nSeJFCa02F4ViZleY7K2l4h_p143DzVZjWEBeKmyQVRXhbZzL6HwONOckham_LHuSrP_sOtVc7BrFwmZq2NZtXEOWyQWfJ4Yp0qg8NzV2LhKLc4LookQuilt8OA8jyEeTabu3Rq9zp0y-FodMg64qfWcPSu53HiwYC9dags5zhXa8zuZRcPMO_orCPVYnmO761xAfsp-P8aJJZDqpxlzKA0s-ClBegunC5C9Xq5snIq-f4hT45u8ldBfAr6dLkDO8BdPMTeutH52bTWX3iJ1ipW1YqMefJhPMzBHLwnJ3SYWN7WTEuRyoC6ndQ60PcEzsPJYAO5MxdY4WsnYOqv3aIryuTlwW3K0dNqcvBSirdar5X7AvidO-XLSXXrY134BogaLBze7FwVYwH7ZhzBdX-DwsUwQsJ7R0mRWxpNnhGu7NjkbB0-QJs",
  • "expires_at": "2016-10-18T17:26:30Z",
  • "team_name": "scaleft"
}

List all Service Users for a Team

Lists all Service Users for your Team

This endpoint requires one of the following roles: pam_admin, security_admin, resource_admin, delegated_resource_admin.

SecuritybearerAuth
Request
path Parameters
team_name
required
string

The name of your Team

query Parameters
contains
string

Only return results that include the specified value

count
integer <int32>

The number of objects per page

descending
boolean

The object order

id
string

Only return results with the specified IDs

include_service_users
string

Only return Service Users in the results

offset
string

The offset value for pagination. The rel="next" and rel="prev" Link headers define the offset for subsequent or previous pages.

prev
boolean

The direction of paging

starts_with
string

Only return Users with a name that begins with the specified value

status
string

Only return Users with the specified status. Valid statuses: ACTIVE, DISABLED, and DELETED.

Responses
200

OK

get/v1/teams/{team_name}/service_users
Request samples
Response samples
application/json
{
  • "list": [
    • {
      },
    • {
      }
    ]
}

Create a Service User

Creates a Service User that can be used to automate interactions with the OPA API

This endpoint requires the following role: resource_admin.

SecuritybearerAuth
Request
path Parameters
team_name
required
string

The name of your Team

Request Body schema: application/json
required
name
required
string <regex> [ 1 .. 255 ] characters

The name of the Service User

Responses
201

Created

post/v1/teams/{team_name}/service_users
Request samples
application/json
{
  • "name": "OPA User"
}
Response samples
application/json
{
  • "deleted_at": null,
  • "details": null,
  • "id": "aa225c16-af6e-4ab4-9150-456fd472e2d7",
  • "name": "OPA User",
  • "status": "ACTIVE",
  • "team_name": "william-faulkner",
  • "user_type": "service"
}

Retrieve a Service User

Retrieve a specified Service User

This endpoint requires one of the following roles: pam_admin, security_admin, resource_admin, delegated_resource_admin.

SecuritybearerAuth
Request
path Parameters
team_name
required
string

The name of your Team

user_name
required
string

The username for an existing User

Responses
200

OK

get/v1/teams/{team_name}/service_users/{user_name}
Request samples
Response samples
application/json
{
  • "deleted_at": null,
  • "details": null,
  • "id": "6b69de4e-90be-4016-9085-d54bf5815da1",
  • "name": "A.User",
  • "status": "ACTIVE",
  • "team_name": "william-faulkner",
  • "user_type": "service"
}

Update a Service User

Updates a specified Service User

This endpoint requires the following role: resource_admin.

SecuritybearerAuth
Request
path Parameters
team_name
required
string

The name of your Team

user_name
required
string

The username for an existing User

Request Body schema: application/json
required
status
required
string

The status of the User: ACTIVE, DISABLED, or DELETED. Users can't disable or delete their own account.

Responses
200

OK

put/v1/teams/{team_name}/service_users/{user_name}
Request samples
application/json
{
  • "status": "DISABLED"
}
Response samples
application/json
{
  • "deleted_at": null,
  • "details": null,
  • "id": "6b69de4e-90be-4016-9085-d54bf5815da1",
  • "name": "A.User",
  • "status": "DISABLED",
  • "team_name": "william-faulkner",
  • "user_type": "service"
}

List all API keys

Lists all API keys for a specified Service User. This doesn't return the corresponding secret for each API key.

This endpoint requires the following role: resource_admin.

SecuritybearerAuth
Request
path Parameters
team_name
required
string

The name of your Team

user_name
required
string

The username for an existing User

Responses
200

OK

get/v1/teams/{team_name}/service_users/{user_name}/keys
Request samples
Response samples
application/json
{
  • "list": [
    • {
      },
    • {
      }
    ]
}

Rotate all API keys

Rotates all API keys for a specified Service User. This also sets an expiration date for the existing API keys.

This endpoint requires the following role: resource_admin.

SecuritybearerAuth
Request
path Parameters
team_name
required
string

The name of your Team

user_name
required
string

The username for an existing User

Responses
200

OK

post/v1/teams/{team_name}/service_users/{user_name}/keys
Request samples
Response samples
application/json
{
  • "expires_at": "0001-01-01T00:00:00Z",
  • "id": "ba7ffbe9-c8e4-45c9-bc07-45729711c952",
  • "issued_at": "2020-04-07T00:00:00Z",
  • "last_used": null,
  • "secret": "NOvsvBg0g9mFXdHbLxEJcEFpu+LZjQSKsYezqMALq5WbGZTpUsxoS4vBqqHOO9O3xrhOq03B+oLf7bSTShbudw=="
}

Delete an API key

Deletes an API key for a Service User. The Service User can no longer authenticate with this API key.

This endpoint requires the following role: resource_admin.

SecuritybearerAuth
Request
path Parameters
team_name
required
string

The name of your Team

user_name
required
string

The username for an existing User

key_id
required
string

The UUID of a Service User key

Responses
204

No Content

delete/v1/teams/{team_name}/service_users/{user_name}/keys/{key_id}
Request samples