POST Authorize/Certificate

Obtains an authorization token from the Trust Protection Platform server using a client certificate that identifies the caller. To setup, see the Remote SDK section in Setting up certificate authentication for web console. After this call completes, place the access_token in the header of your REST call. Your client can reuse the same token until it expires. As necessary, your client should track the expiration time and use the refresh token to get a new one. On exit, your client can revoke the token.

DID YOU KNOW?   This call, which is managed by the VEDauth service, replaces a Web SDK call by the same name.

For remote clients that use certificates to authenticate with the Web SDK, a bearer token is only returned by the VEDauth authentication server, when:

  • A client certificate is present in the caller's computer.
  • The client certificate was issued by an approved issuer.
  • The user identity originates in the Certificate Name (CN), Email Subject Alternate Name (SAN), or User Principal Name (UPN) SAN of the certificate. The value depends on settings in the certificate authentication configuration settings.
  • The mapped identity is authorized to use the Web SDK.

CAUTION   Secure your bearer tokens. Do not share tokens with other integrations. When processing completes, your integration can manage the grant by calling GET Revoke/Token.


Register an API Integration and give the caller access. Use the scope and other information from the integration. For more information, see Setting up token authentication.

Client ID is the Application ID


Permissions: The caller is not required to have any special permissions.


  • Content type: Content-Type:application/json.

  • No bearer access token is necessary for this API call.


In the request URL, specify vedauth. For example, POST https://tpp.venafi.example/vedauth/authorize/certificate. All parameter names are case sensitive.

Input parameters




Case sensitive. The value must match the Client ID in the API integration. For more information, see Setting up token authentication.


The set of scopes and restrictions for the client_id. The set must:

  • Match some or all of the scope(s) that appear in the API integration.

  • Match the scopes that your application actually uses when it makes API calls. Use the Scope map for tokens to verify requirements for endpoint. Otherwise, missing scopes may cause a failure at run time.

Scope matches values from API integration in the UI


Response description



HTTP 200

For valid requests, Authorize/Certificate returns a HTTP 200 message; and the following data:

  • access_token: A bearer access token to add to the header of other Venafi API calls. Represents authorization to use the requested scope.
  • refresh_token: Appears only if Refresh Token is enabled in the API Integrations configuration. The refresh token to use when access_token expires or becomes invalid. To refresh, call POST Authorize/Token refresh.
  • expires_in: The number of seconds until the token expires. For example, 7775999 is 90 days.
  • expires: The token expiration time stamp in the Epoch format. The length of time varies based on Remote tree settings.
  • token_type: The description or grant type of the access_token is Bearer.
  • scope: The access token scope that is the authorized range of resources that the client can use.
  • identity: The identity provider and GUID that identifies the user.
  • refresh_until: Represents when the grant expires. The time is represented in Epoch time. After this limit has been reached the refresh_token will no longer work and you will need to obtain a new grant via an Authorize call.

HTTP 400

If the response is HTTP 400, a generic error appears with a customized description for this particular endpoint.

  • Error

    • invalid_client: Browser-based authentication is disabled.

    • invalid_request: The client_id is missing or an internal error occurred.

    • invalid_scope: The requested scope is missing, expired, revoked, malformed, or exceeds the scope from the API Integration in the UI.

    • invalid_grant: Details vary based on the Authorize request. Reasons for this error include:

      • The Authorize user ID and password was either invalid or missing.
      • A scope is not allowed for the particular API integration.
      • The device_code from POST Authorize/Device is expired or invalid.

      • The client_id must match the Client ID in the UI API integration.

    • unauthorized_client: The Venafi user is not authorized for this authorization grant type.

  • Error_description: If available, additional information about how to retry the request.

HTTP 401

If there are authentication errors, this API call returns a HTTP 401; it includes one of the following:

  • Certificate authentication not enabled

  • Certificate did not contain an acceptable identity

  • Certificate not signed by an approved issuer

  • Failed to issue grant: [error]

  • Unhandled identity claim type

Example 1: Use a local certificate to authorize, receive an access token for other API calls

In Postman, configure Settings that identify the Trust Protection Platform server and the location of certificate that identifies the caller. For more information, see

Request for Example 1

POST https://tpp.venafi.example/vedauth/Authorize/Certificate
    "client_id": "MyApp",
    "scope": "Certificate:discover,manage,delete"

Response for Example 1

HTTP/1.1 200 OK

Example 2: Use a PowerShell script and a local certificate; receive an access token for other API calls

Request for Example 2

[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12

#Define Connection Variables
$Server = 'https://tpp.venafi.example/vedauth'
$uri = $Server+'/authorize/certificate'

#Build up the request to send to the server, so add any values that you need to pass,
$client_id = 'client-certificate-auth'
$scope ='certificate:discover,manage,delete'

$cert_pfx = "C:\Temp\client.pfx"
$cert_pass = "newPassw0rd!"
$cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2 -ArgumentList @($cert_pfx,$cert_pass)
Write-Host Client Certificate: $cert

#Put object together and convert to JSON
$MyObject = @{ client_id = $client_id; scope = $scope }
$json = $MyObject | ConvertTo-Json

#When passing a JSON object, you need to pass it with -Body $variable
$result = Invoke-RestMethod -Method Post -Uri $uri -Body $json -ContentType 
  "application/json" -Certificate $cert

Write-Host Created token: $result

Response for Example 2

HTTP/1.1 200 OK
Client Certificate: [Subject]


[Serial Number]

[Not Before]
  6/12/2019 1:29:18 PM

[Not After]
  6/12/2020 1:39:18 PM


Created token: @{access_token=DvklL3cHWmH1GaDOaEqZ5Q==;
 refresh_token=D3aACQ9NPhSN8ymM4cjSAA==; expires_in= 7775999;
 expires= 1619042507; token_type=Bearer; scope=certificate:discover, 
 manage,delete; identity=AD+Active Directory:77338c27877bd0418c62176f256abd4d; 
 refresh_until= 1642802507 }