Authentication

Breaking changes for Digital Twin Registry and Aspect Model Catalog
The APIs have been updated to Bosch Semantic Stack v5 on November 04, 2025. From now on, API calls must use the new target client ID as listed on this page.
Further details: Migrate to v5.

In order to use the Bosch Semantic Stack services, a valid authentication is needed. The protocol used is OAuth2, implemented through the Authentication/Authorization system.

The API requests for the solution you are building need:

  • client ID (your-client-id)

  • client secret (your-client-secret)

  • These client credentials are defined for your tenant (your-tenant-id)

See Add a module to your tenant if you do not have any credentials yet.

When requesting a JSON Web Token (JWT) to access the Bosch Semantic Stack services, you need a scope for the token.

The scope for the token is composed as follows:

  1. Set the client ID of the target service (target client ID) as audience scope (target-client-id):
    i2zkcq1li0ps1pjh62gjj1892

  2. Set scope to:
    openid

    The full scope value for the token then is:
    aud:i2zkcq1li0ps1pjh62gjj1892 openid

To retrieve a valid JWT, the following call (OAuth2 Client Credentials Flow) needs to be issued (sample given as cURL):

  curl -X POST \
  https://portal.bosch-nexeed.com/iam/access-management/v1/tenants/<your-tenant-id>/openid-connect/token \
  -H 'Content-Type: application/x-www-form-urlencoded' \
  -H 'cache-control: no-cache' \
  -d 'grant_type=client_credentials&client_id=<your-client-id>&client_secret=<your-client-secret>&scope=aud:<target-client-id>%20openid'

You’ll receive a JSON structure as a response where the property access_token is the JWT to be used for requests against services like the Digital Twin Registry.

To use the JWT, a request must have the following header set:

  Authorization: Bearer <access_token>

Token Expiry

The JWTs have a rather short lifetime. It is up to you how to resolve token expiry, here are two options:

  • Use the token until a service responds with a 401. In a fallback method retrieve a new token, then retry the request.

  • Within your application, apply a hook or interceptor (most HTTP/REST libraries allow this) to check the token expiry. If the token would expire within, for example, the next 60 seconds, first retrieve a new token, then carry on with the request.