Documentation Index

Fetch the complete documentation index at: https://docs.crossworkassurance.cisco.com/llms.txt

Use this file to discover all available pages before exploring further.

New: Try our AI‑powered Search (Ctrl + K) — Read more

Configure OAuth 2.0 Clients for API Access

Prev Next
On-Premise Customers

This configuration is for private environments as it supports modern OAuth2/OIDC standards, service accounts, MFA, and audit logging. For Saas/Cloud Tenants continue with CAS until a self-hosted version is supported. See: Intro to REST APIs.

OAuth 2.0

In order to authenticate as an API client with Crosswork Assurance, users can use OAuth 2.0. In this guide, we will explain how to configure Postman to use OAuth 2.0 authentication.

Note: While this guide uses Postman, other API clients that support OAuth 2.0 with PKCE (such as Bruno) can also be configured using the same authentication parameters.

Requirements

Before proceeding, ensure you have:

  • An API client that supports OAuth 2.0 with PKCE (for example, Postman or Bruno) installed on your computer
  • A valid Organization Owner account for your instance of Crosswork Assurance (for example, the default admin user for the deployment).

Phase 1: Set Up Your API Client

Step 1. Create a Request

  1. Enter your request URL in Postman (or Bruno).
    In this example, we will perform a call to retrieve connector configs: GET /api/v2/connector-configs.

  2. Enter the tenant domain as appropriate for your Crosswork Assurance deployment.
    Note: Sending the request will result in a 401 response from Crosswork Assurance.

image.png

Step 2. Select OAuth 2.0

  1. From the Authorization tab for the request, set the Type to OAuth 2.0.

image.png


Phase 2: Obtain Client ID and Project ID from Zitadel

To complete the OAuth 2.0 configuration, you need two values from your deployment's identity and access management service (Zitadel):

  • Client ID — identifies the AnalyticsUI application
  • Project ID — required for the authorization scopes

Note: You can obtain these values using either the Zitadel UI or the tenant info API.

Step 1. Log In to Zitadel

Important: You must use the admin user account to perform this step.

  1. Log in to your deployment's identity and access management service (Zitadel) at: https://auth.{{domain-name}} if your deployment is configured with a domain name or https://{{ip}}:3443 if it is not.

  2. Navigate to the tenant organization.
    Note: In this example the organization is named pca.
    image.png

Step 2. Copy the Project ID

  1. From the Projects tab, select the Analytics project.
    image.png

  2. On the Analytics project overview page, copy the Resource Id. This is the Project ID you will use in the Scope configuration.
    Image

Step 3. Copy the Client ID

  1. Choose the AnalyticsUI User Agent Application.
    image.png

  2. From the top-right corner of the screen, copy the Client Id.
    image.png

(Alternative) Use the Tenant Info API

You can retrieve the Client ID and Project ID programmatically without logging in to Zitadel.

Request:

GET https://{tenant}.{domain}/api/v1/onboarding/tenant-info

Example:

curl -s https://warsaw.northbound.npav.accedian.net/api/v1/onboarding/tenant-info
{
  "data": {
    "attributes": {
      "allowPasswordAuth": false,
      "providerLinks": null,
      "tenantId": "a59f2feb-41a7-4de4-ad31-8f55cd2d6674",
      "tenantName": "warsaw",
      "domain": "warsaw.northbound.npav.accedian.net",
      "zitadelAuth": true,
      "zitadelConfig": {
        "authority": "https://auth.northbound.npav.accedian.net:443",
        "clients": [
          {
            "appId": "371739744133983139",
            "clientId": "371739744134048675",
            "name": "AnalyticsAppM2M"
          },
          {
            "appId": "371739744217869219",
            "clientId": "371739744217934755",
            "name": "AnalyticsUI"
          },
          {
            "appId": "371739744301755299",
            "clientId": "371739744301820835",
            "name": "Orchestrator"
          }
        ],
        "organizationId": "371739743345453987",
        "projects": [
          {
            "name": "Analytics",
            "projectId": "371739743714552739"
          }
        ]
      }
    },
    "id": "warsaw",
    "type": "tenant-info"
  }
}

Phase 3: Complete Configuration in Your API Client

Step 1. Enter the Required OAuth 2.0 Configuration

  1. Return to your API client and enter the following values for the Oauth 2.0 configuration:

Note: In this example, the domain name configured for the deployment is npi.npav.accedian.net and the tenant is pca.

Field Value
Token Name My Token
Grant Type Authorization Code (With PKCE)
Callback URL https://pca.npi.npav.accedian.net/login
Auth URL https://auth.npi.npav.accedian.net:443/oauth/v2/authorize
Access Token URL https://auth.npi.npav.accedian.net:443/oauth/v2/token
Client ID {Copied Client ID from Step 3}
Client Secret empty
Code Challenge Method SHA-256
Code Verifier empty
Scope openid profile email offline_access urn:zitadel:iam:org:project:id:{projectId}:aud urn:zitadel:iam:org:project:id:zitadel:aud urn:zitadel:iam:user:resourceowner

Note: Replace {projectId} with the Project ID obtained in Phase 2: Obtain Client ID and Project ID from Zitadel.

State empty
Client Authentication Send as Basic Auth header

Step 2. Obtain an Access Token

  1. Click the Get New Access Token button.
    A window will appear asking you to log in.

  2. Log in using your API user's credentials.

  3. Click the Use Token button.

Step 3. Send the Request

  1. Send the request. You will now be authenticated.

image.png

© 2026 Cisco and/or its affiliates. All rights reserved.

For more information about trademarks, please visit:
Cisco trademarks 
For more information about legal terms, please visit:
Cisco legal terms