Authorization
Overview
Agent Builder Platform supports two methods of authentication using NCP IAM:
-
Login Authorization: for interactive users via the Agent Builder Studio
-
Client Credentials: for service-to-service or automated integrations interacting directly with Agent Builder Platform APIs
One of the following IAM roles is required, regardless of authentication method:
-
Consumer: Only invoke agents
-
Solution Builder: Create, invoke, and update agents
-
Administrator: Create, invoke, update, and delete agents
Login Authorization
This method is intended for users accessing the APIs through Agent Builder Studio.
How It Works
- Users are redirected to our login page, where they enter IAM credentials
- After successful authentication, a session is established and users are logged into the Agent Builder Studio
- This token is automatically used by the Agent Builder Studio to make authenticated API calls
Guide
- Reach out to your point of contact to add your user profile to the desired environment's IAM (sandbox, dev, staging, prod)
- Specify what role you will require (see above)
- You will get an email to set your password
- Navigate to Agent Builder Studio, where you will be redirected to the login screen and provide the credentials you just setup
- You will now have access to use Agent Builder Studio with the role provided to your user
Client Credentials Authorization
This method is intended for users accessing the APIs directly from an external service.
How It Works
- Clients are created in IAM Admin Portal and linked to a service user with the necessary roles
- Each service manages the client ID / secret for their application
- A POST request to the IAM
/connectendpoint with the client credentials returns a JWT bearer token - The token is then used authenticate API calls
Guide
-
Reach out to your point of contact to gain access to the desired environment's IAM Admin Portal (sandbox, dev, staging, prod)
- You will get an email to set your password
-
Log into the IAM Admin Portal at https://admin.ENV.experience.hyland.com/ where ENV is the environment you are working in.
-
Under Identity -> Users, choose Create Service User
- Enter a username related to your service's function (ex. product-name-service-user)
- Select the least privileged user group for your service.
- e.g. if your service will only be invoking agents but not creating, select Consumers
- Enter a name for the client the service user will be connected to (ex. product-name-service-client)
- Create and make sure you copy the Client ID and Client Secret that are generated
- Note that you are responsible for managing the client secret for your service
-
Your client will now be displayed under External Systems -> External Applications
- Add the environment_authorization scope
- Select Content Intelligence Agent Builder Testing as Environment
- Select cin-agent-builder as Application
- Save the client
-
Send a POST request to generate a token:
curl -X POST https://auth.iam.<ENV>.experience.hyland.com/idp/connect/token \
-H "Content-Type: application/x-www-form-urlencoded" \
-d "client_id=<CLIENT_ID>" \
-d "client_secret=<CLIENT_SECRET>" \
-d "scope=hxp environment_authorization" \
-d "grant_type=client_credentials"
- Use the access_token from the response body for requests to the Agent Orchestration API in the Authorization header