Skip to main content

Prismatic's API in a CI/CD System

Exchanging a Prismatic refresh token for an access token

If you would like to set up a CI/CD pipeline or any other headless system to periodically query the Prismatic API, you will need to provide that system with a refresh token. Your system will then exchange the refresh token for an access token that it can use to query the Prismatic API.

To get a refresh token initially, use prism. You'll just need to do this once:

$ prism me:token --type refresh
2uSiGgplFXAN_igEtOGPIpj3UcGuG0FADIljgJEXAMPLE

In this example, assume that we've created an environment variable, PRISMATIC_REFRESH_TOKEN with the value we found on our CI/CD server:

PRISMATIC_REFRESH_TOKEN="2uSiGgplFXAN_igEtOGPIpj3UcGuG0FADIljgJEXAMPLE"

We can now configure our CI/CD server to exchange that refresh token for an access token. This example uses jq to parse JSON responses:

RESPONSE=$(curl "https://app.prismatic.io/auth/refresh" \
            --request POST \
            --data '{"refresh_token":"'${PRISMATIC_REFRESH_TOKEN}'"}' \
            -H "Content-Type: application/json")

PRISMATIC_ACCESS_TOKEN=$(echo ${RESPONSE} | jq -r .access_token)

That PRISMATIC_ACCESS_TOKEN can now be used in a request to Prismatic's API as a header Authorization: Bearer ${PRISMATIC_ACCESS_TOKEN}. That token can be used for 7 days before needing to refresh again.

Revoking a Prismatic refresh token

If you believe your refresh token has been compromised, or otherwise would like to revoke a refresh token, the process is very similar to refreshing an auth token. Identify the refresh token that you would like to revoke, then issue an HTTP request to the /auth/revoke endpoint:

PRISMATIC_REFRESH_TOKEN="2uSiGgplFXAN_igEtOGPIpj3UcGuG0FADIljgJEXAMPLE"

curl "https://app.prismatic.io/auth/revoke" \
    --request POST \
    --data '{"refresh_token":"'${PRISMATIC_REFRESH_TOKEN}'"}' \
    -H "Content-Type: application/json"

You can also use prism to issue the same revocation if you are currently logged in:

$ prism me:token:revoke
All refresh tokens are revoked

When issuing a refresh token request, ALL of your user's refresh tokens are revoked. If you have any scripts that use a refresh token that is tied to your user (for a CI/CD pipeline, etc.), you will need to replace that refresh token with a new one.

If you believe your team members' refresh token has been compromised, please have them log in and revoke their refresh token, or have an organization administrator remove their account if they are unavailable (their account can be re-added later).