API Authentication¶

The following document explains how to authenticate with Run:ai APIs.

Run:ai APIs are accessed using bearer tokens. A token can be obtained in several ways:

When logging into the Run:ai user interface, you enter an email and password (or authenticated via single sign-on) which are used to obtain a token.
When using the Run:ai command-line, you use a Kubernetes profile and are authenticated by pre-running runai login (or oc login with OpenShift). The command attaches a token to the profile and allows you access to Run:ai functionality.
When using Run:ai APIs, you need to create an Application through the Run:ai user interface. The Application is created with specific roles and contains a secret. Using the secret you can obtain a token and use it within subsequent API calls.

Create a Client Application¶

Open the Run:ai Run:ai User Interface.
Go to Settings | Application and create a new Application.
Set the required roles:
- Select Researcher to manipulate Jobs using the Cluster API. To provide access to a specific project, you will also need to go to Application | Projects and provide the Application with access to specific projects.
- Select Editor to manipulate Projects and Departments using the Administrator REST API.
- Select Administrator to manipulate Users, Tenant Settings and Clusters using the Administrator REST API.
Copy the <APPLICATION-NAME> and <CLIENT-SECRET> to be used below
Go to Settings | General, under Researcher Authentication copy <REALM>.

Important

Creating Client Application tokens is only available with SaaS installations where the tenant has been created post-January 2022 or any Self-hosted installation. If you are an administrator but do not see the Settings | Application area, please contact Run:ai customer support.

Request an API Token¶

Use the above parameters to get a temporary token to access Run:ai as follows.

Example command to get an API token¶

Replace <COMPANY-URL> below with app.run.ai for SaaS installations (not <company>.run.ai) or the Run:ai user interface URL for Self-hosted installations.

cURLPython

curl -X POST 'https://<COMPANY-URL>/auth/realms/<REALM>/protocol/openid-connect/token' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'grant_type=client_credentials' \
--data-urlencode 'scope=openid' \
--data-urlencode 'response_type=id_token' \
--data-urlencode 'client_id=<APPLICATION-NAME>' \
--data-urlencode 'client_secret=<CLIENT-SECRET>'

import requests
import json

COMPANY_URL = "app.run.ai"
COMPANY_REALM = "acme"
APPLICATION_NAME = "app-name"
CLIENT_SECRET = "secret"

def  runai_authenticate():    
    url = "https://" + COMPANY_URL + "/auth/realms/" +  \
        COMPANY_REALM + "/protocol/openid-connect/token"

    payload = 'grant_type=client_credentials&scope=openid&response_type=id_token&client_id=' + \
        APPLICATION_NAME + '&client_secret=' + CLIENT_SECRET
    headers = {
        'Content-Type': 'application/x-www-form-urlencoded'
    }

    response = requests.request("POST", url, headers=headers, data=payload)
    if response.status_code //100 == 2:
        j = json.loads(response.text)
        return j["access_token"]
    else:
        print(json.dumps(json.loads(response.text), sort_keys=True, indent=4, separators=(",", ": ")))
        return

Response¶

The API response will look as follows:

API Response

{
  "access_token": "...", // (1)
  "expires_in": 36000,
   ....
  "token_type": "bearer"
  "id_token": "..."
}

Use the id_token as the Bearer token below.

To call APIs, the application must pass the retrieved access_token as a Bearer token in the Authorization header of your HTTP request.

To retrieve and manipulate Workloads, use the Cluster API. Researcher API works at the cluster level and you will have different endpoints for different clusters.
To retrieve and manipulate other metadata objects, use the Administrator REST API. Administrator API works at the control-plane level and you have a single endpoint for all clusters.