Setting up token authentication

All custom applications, remote clients, and scripts, which integrate with Venafi SDKs, require set up. Setup for OAuth token authentication has a few steps.

First, you verify Remote Access tree defaults. The settings allow Trust Protection Platform Authentication Server to manage tokens. This server is also known as the VEDAuth server.

Next, you register and specify scopes for each application. The settings match all of the scopes that your application uses. Later, in an Authorize call, your application uses this same information to get tokens.

Last, you give the caller access to make API calls. Then, your calling application can get a token and operate.

Did You Know?
Instead of third-party single sign-on software, the VEDAuth server uses the OAuth 2.0 principles to manage tokens and grants. During installation, the VEDAuth server automatically enables as an IIS service. However, depending on authentication methods, the configuration varies.

To set up for token authentication

  1. (Optional) Configure IIS Manager to accept certificate authentication for Remote Web SDK clients. Recommended for POST Authorize/Certificate.
  2. In WebAdmin, navigate to the Remote Access tree.
  3. On the Token Auth Configuration Settings tab, confirm and update the following values as appropriate.

    Token Auth Configuration Settings



    Token Validity (days)

    The period of time that the bearer access token is valid before rotation is required. The default is 90.

    Grant Validity (days)

    The maximum time that an authorization grant for the Token Auth scope is valid. If the Refresh Token is enabled, you can continue to get new tokens until the token and grant expire. The default is 365.

    Refresh Token

    Refresh settings:

    • Enabled: Default. Receive a refresh token with the request for a bearer access token. Prior to the Token Validity date, you can send the refresh token to the VEDAuth server to get a new bear access token.

    • Disabled: At the time when the VEDAuth server issues a bearer access token, no refresh token is supplied.

    Session Pool Size (sessions)

    The number of concurrent sessions for API calls. The default is 500. If the number of simultaneous API calls exceed the pool size, the oldest unused session is removed from the pool.

    Session Expiration (minutes)

    The number of minutes each token remains in memory. The default is 1440.

  4. Under Allowed Authentication Methods, select one or more of the following:

    Allowed Authentication Methods


    Trust Protection Platform Authentication Server setting

    Username & Password The client passes a user name and password to the VEDAuth server. Recommended for POST Authorize/OAuth.
    Integrated Windows Authentication The client passes Windows credentials to the VEDAuth server.


    The caller passes a client certificate to the VEDAuth server. Next, you register and specify scopes for each application. The settings match all of the sco. The certificate resides on the caller's computer. The certificate must be valid for the purposes of Client Authentication. Recommended for POST Authorize/Certificate.

    For additional configuration settings, see the next step.

  5. (Optional) Complete the Certificate Authentication section:

    Certificate Authentication Settings



    X.509 Identity Field

    The field for Trust Protection Platform Authentication Server to use as the user identity:

    • SubjectAltName: UPN: The identity that also has access to the Web SDK.
    • SubjectAltEmail: The email address (es).
    • CN: The certificate name (CN). For local identities, always specify CN.
    Trusted Certificate Authorities The CA(s) that are approved to issue client certificates for authentication. Select a Trusted Certificate Authority certificate from the Roots tree.
  6. Click Save and either wait 10 minutes or in IIS, recycle the VEDAuth application pool.
  7. For Venafi applications, such as the MMC, skip this step. Use Aperture to register and set scopes for your application. For more information, see Creating API application integrations.

    TIP  Always select the same scopes that your application requires. For example, if the application uses three scopes, the configuration reflects those same scopes.

    Scope definitions match application scopes

  8. Grant the API caller access to your application. For more information, see Editing an existing integration's API access list.

  9. To get a token, call an Authorize method with the values you just defined. For more information, see Getting a token.