Bootstrap FreeKB - Venafi (Certificate Management) - Obtain OAuth Bearer Token using REST API
Venafi (Certificate Management) - Obtain OAuth Bearer Token using REST API

If you are not familiar with OAuth, check out What is an OAuth token.

The following curl command can be used to obtain an OAuth Bearer Token using the Venafi REST API.

--request POST 
--header "Content-Type: application/json" 
--data '{ "client_id": "foo", "username": "john.doe", "password": "itsasecret", "scope":"agent:delete;certificate:approve,delete,discover,manage,revoke;ssh:manage,delete,discover,approve;configuration:delete,manage;restricted:delete,manage;security:delete,manage;codesign:delete,manage;statistics" }' 


Or you could create a JSON file, such as foo.json, where the JSON file would contain something like this.

 "client_id": "foo",
 "username": "john.doe",
 "password": "itsasecret",


And then issue the curl command like this.

--request POST 
--header "Content-Type: application/json" 
--data @foo.json


In these examples, every possible scope was included. This can be adjusted to only have the scopes needed. Here are all of the possible scopes. As an example, the security:manage scope would be needed to issue a REST API call to list Venafi Credentials.

  • agent:delete
  • certificate:approve,delete,discover,manage,revoke
  • ssh:manage,delete,discover,approve
  • configuration:delete,manage
  • restricted:delete,manage
  • security:delete,manage
  • codesign:delete,manage
  • statistics


Something like this should be returned. In this example, the Bearer Token is abc123.

  • expires_in is 31536000 seconds, meaning the token will remain valid for 365 days (1 year)
  • expires is 1655380828 seconds, which is 16553830828 seconds after January 1st, 1970 (see understanding epoch time).


Did you find this article helpful?

If so, consider buying me a coffee over at Buy Me A Coffee


Add a Comment

Please enter 1743ee in the box below so that we can be sure you are a human.