Authorization
Overview
Agent Builder Platform supports three methods of authentication using NCP IAM:
-
Login Authorization: for interactive users via the Agent Builder Studio
-
Client Credentials - External Application: for external customers only - service-to-service or automated integrations interacting directly with Agent Builder Platform APIs using a mapped Service User
-
Client Credentials - Restricted Scope: for internal Hyland consumers only - service-to-service or automated integrations interacting directly with Agent Builder Platform APIs with no user context
One of the following IAM roles is required:
-
Consumer: Only invoke agents
-
Solution Builder: Create, invoke, and update agents
-
Administrator: Create, invoke, update, and delete agents
- Note: Administrator role is automatically used with restricted scope auth
Login Authorization
This method is intended for users accessing the APIs through Agent Builder Studio.
How It Works
- Users are redirected to our login page, where they enter IAM credentials
- After successful authentication, a session is established and users are logged into the Agent Builder Studio
- This token is automatically used by the Agent Builder Studio to make authenticated API calls
Guide
- Reach out to your point of contact to add your user profile to the desired environment's IAM (sandbox, dev, staging, prod)
- Specify what role you will require (see above)
- You will get an email to set your password
- Navigate to Agent Builder Studio, where you will be redirected to the login screen and provide the credentials you just setup
- You will now have access to use Agent Builder Studio with the role provided to your user
Client Credentials Authorization - External Customers
This method is intended for users accessing the APIs directly from an external service.
How It Works
- External Applications are created in IAM Admin Portal and linked to a Service User with the necessary role
- Each service manages the client ID / secret for their External Application
- A POST request to the IAM
/connectendpoint with the client credentials for the External Application returns a JWT bearer token - The token is then used authenticate API calls
Guide
-
Reach out to your point of contact to gain access to the desired environment's IAM Admin Portal (sandbox, dev, staging, prod)
- You will get an email to set your password
-
Log into the IAM Admin Portal at https://admin.ENV.experience.hyland.com/, where ENV is the environment you are working in.
-
Under Identity -> Users, choose Create Service User
- Enter a username related to your service's function (ex. product-name-service-user)
- Select the least privileged user group for your service.
- e.g. if your service will only be invoking agents but not creating, select Agent Studio Solution Consumers
- Enter a name for the client the service user will be connected to (ex. product-name-service-client)
- Create and make sure you copy the Client ID and Client Secret that are generated
- Note that you are responsible for managing the client secret for your service
-
Your client will now be displayed under External Systems -> External Applications
- Add the environment_authorization scope
- Select Content Intelligence Agent Builder Testing as Environment
- Select cin-agent-builder as Application
- Save the client
-
Send a POST request to generate a token:
curl -X POST https://auth.iam.<ENV>.experience.hyland.com/idp/connect/token \
-H "Content-Type: application/x-www-form-urlencoded" \
-d "client_id=<CLIENT_ID>" \
-d "client_secret=<CLIENT_SECRET>" \
-d "scope=hxp environment_authorization" \
-d "grant_type=client_credentials"
- Use the access_token from the response body for requests to the Agent Orchestration API in the Authorization header
Client Credentials Authorization - Internal Hyland Consumers Only
This method is intended for users accessing the APIs directly from an internal Hyland service.
How It Works
- Client Credentials clients are provisioned via Terraform Provider
- The client ID is mapped to the restricted Agent Builder scope
- A POST request to the IAM
/connectendpoint with the client credentials returns a JWT bearer token - The token is then used authenticate API calls, passing environment information via headers
Guide
-
Provision a new Client Credentials client in the Terraform Infrastructure repository
-
Submit an HXIAM ticket to map the new client ID to the restricted Agent Builder Scope
-
Send a POST request to generate a token:
curl -X POST https://auth.iam.<ENV>.experience.hyland.com/idp/connect/token \
-H "Content-Type: application/x-www-form-urlencoded" \
-d "client_id=<CLIENT_ID>" \
-d "client_secret=<CLIENT_SECRET>" \
-d "scope=hxp <restricted scope>" \
-d "grant_type=client_credentials"
-
Use the access_token from the response body for requests to the Agent Orchestration API in the Authorization header
-
Add X-AccountID, X-EnvironmentID, and X-User-Context headers to the request to pass the NCP environment and user context.