Authentication

Breaking changes ahead for: Digital Twin Registry API, Aspect Model Catalog API
The APIs will be updated to Bosch Semantic Stack v5 on November 04, 2025.
The update will be carried out from 16:30 to approximately 18:30 CET / UTC+1.
Action required: Migrate to v5.

In order to use the Bosch Semantic Stack services, a valid authentication is needed. The protocol used is OAuth2, implemented through the Authentication/Authorization system.

The API requests for the solution you are building need:

  • client ID (your-client-id)

  • client secret (your-client-secret)

  • These client credentials are defined for your tenant (your-tenant-id)

See Add a module to your tenant if you do not have any credentials yet.

When requesting a JSON Web Token (JWT) to access the Bosch Semantic Stack services, you need a scope for the token.

The scope for the token is composed as follows:

  1. Set the client ID of the target service (target client ID) as audience scope (target-client-id):

    • From v5 (Nov 04, 2025) on: i2zkcq1li0ps1pjh62gjj1892

    • Until EOL v4:

      • Digital Twin Registry: bqfin42m7vho1k7r2srjrge28

      • Aspect Model Catalog: q8f6z22otkd7137qlsykwckuc

  2. Set openid scope

From v5 (Nov 04, 2025) on, the full scope value for the token is: aud:i2zkcq1li0ps1pjh62gjj1892 openid

To retrieve a valid JWT, the following call (OAuth2 Client Credentials Flow) needs to be issued (sample given as cURL):

  curl -X POST \
  https://portal.bosch-nexeed.com/iam/access-management/v1/tenants/<your-tenant-id>/openid-connect/token \
  -H 'Content-Type: application/x-www-form-urlencoded' \
  -H 'cache-control: no-cache' \
  -d 'grant_type=client_credentials&client_id=<your-client-id>&client_secret=<your-client-secret>&scope=aud:<target-client-id>%20openid'

You’ll receive a JSON structure as a response where the property access_token is the JWT to be used for requests against services like the Digital Twin Registry.

To use the JWT, a request must have the following header set:

  Authorization: Bearer <access_token>

Token Expiry

The JWTs have a rather short lifetime. It is up to you how to resolve token expiry, here are two options:

  • Use the token until a service responds with a 401. In a fallback method retrieve a new token, then retry the request.

  • Within your application, apply a hook or interceptor (most HTTP/REST libraries allow this) to check the token expiry. If the token would expire within, for example, the next 60 seconds, first retrieve a new token, then carry on with the request.