Skip to main content

Authentication

You'll want to query the Prismatic API with tools outside of the GraphiQL explorer. To do that, you'll need an API token. When you authenticate against Prismatic through the web application or Prismatic CLI tool, your web browser or CLI tool receives a JWT that can be used to query the API.

To view a short-lived token in the web browser, visit https://app.prismatic.io/get_auth_token/ while logged in.

If you're using the Prismatic CLI tool, use the me:token subcommand.

prism me:token
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.Example

Use that token as part of your HTTP authorization header bearer token to authenticate your queries against the API. For example:

export PRISMATIC_API_TOKEN=$(prism me:token)

curl https://app.prismatic.io/api \
  --request POST \
  --header "Authorization: Bearer ${PRISMATIC_API_TOKEN}" \
  --header "Content-Type: application/json" \
  --data '{"query": "query { integrations { nodes { id name }}}"}'

Long-lived tokens

Access tokens from prism me:token or the web app are short-lived. For automated systems, scripts, or CI/CD pipelines, you'll want to use refresh tokens instead. Refresh tokens have a longer lifespan and can be exchanged for new access tokens as needed.

Generating a refresh token

To generate a refresh token, use prism with the --type refresh flag:

prism me:token --type refresh
2uSiGgplFXAN_igEtOGPIpj3UcGuG0FADIljgJEXAMPLE

Store this token securely (for example, as an environment variable named PRISM_REFRESH_TOKEN). If you're using prism in your automated system, it will automatically detect this environment variable and exchange it for access tokens as needed.

Exchanging a refresh token for an access token

If you're wrapping Prismatic's API directly (not using prism), you can exchange a refresh token for an access token manually:

curl "https://app.prismatic.io/auth/refresh" \
  --request POST \
  --data '{"refresh_token":"YOUR_REFRESH_TOKEN"}' \
  -H "Content-Type: application/json"

The response includes an access_token that's valid for 7 days.

If you have multiple tenants in a single region, you can specify which tenant to authenticate with by including a tenant_id (UUID) in your request:

curl "https://app.prismatic.io/auth/refresh" \
  --request POST \
  --data '{"refresh_token":"YOUR_REFRESH_TOKEN","tenant_id":"YOUR_TENANT_UUID"}' \
  -H "Content-Type: application/json"

You can verify your tenant ID by running prism me.

For more details on using refresh tokens in CI/CD systems, including how to revoke tokens, see Authentication in a CI/CD system.