This configuration is for private environments as it supports modern OAuth2/OIDC standards, service accounts, MFA, and audit logging. For Saas/Cloud Tenants continue with CAS until a self-hosted version is supported. See: Intro to REST APIs.
OAuth 2.0
In order to authenticate as an API client with Crosswork Assurance, users can use OAuth 2.0. In this guide, we will explain how to configure Postman to use OAuth 2.0 authentication.
Note: While this guide uses Postman, other API clients that support OAuth 2.0 with PKCE (such as Bruno) can also be configured using the same authentication parameters.
Requirements
Before proceeding, ensure you have:
- An API client that supports OAuth 2.0 with PKCE (for example, Postman or Bruno) installed on your computer
- A valid Organization Owner account for your instance of Crosswork Assurance (for example, the default admin user for the deployment).
Phase 1: Set Up Your API Client
Step 1. Create a Request
-
Enter your request URL in Postman (or Bruno).
In this example, we will perform a call to retrieve connector configs:GET /api/v2/connector-configs. -
Enter the tenant domain as appropriate for your Crosswork Assurance deployment.
Note: Sending the request will result in a 401 response from Crosswork Assurance.

Step 2. Select OAuth 2.0
- From the Authorization tab for the request, set the
Typeto OAuth 2.0.

Phase 2: Obtain Client ID and Project ID from Zitadel
To complete the OAuth 2.0 configuration, you need two values from your deployment's identity and access management service (Zitadel):
- Client ID — identifies the AnalyticsUI application
- Project ID — required for the authorization scopes
Note: You can obtain these values using either the Zitadel UI or the tenant info API.
Step 1. Log In to Zitadel
Important: You must use the admin user account to perform this step.
-
Log in to your deployment's identity and access management service (Zitadel) at: https://auth.{{domain-name}} if your deployment is configured with a domain name or https://{{ip}}:3443 if it is not.
-
Navigate to the tenant organization.
Note: In this example the organization is namedpca.

Step 2. Copy the Project ID
-
From the Projects tab, select the Analytics project.

-
On the Analytics project overview page, copy the Resource Id. This is the Project ID you will use in the Scope configuration.

Step 3. Copy the Client ID
-
Choose the AnalyticsUI User Agent Application.

-
From the top-right corner of the screen, copy the Client Id.

(Alternative) Use the Tenant Info API
You can retrieve the Client ID and Project ID programmatically without logging in to Zitadel.
Request:
GET https://{tenant}.{domain}/api/v1/onboarding/tenant-info
Example:
curl -s https://warsaw.northbound.npav.accedian.net/api/v1/onboarding/tenant-info
{
"data": {
"attributes": {
"allowPasswordAuth": false,
"providerLinks": null,
"tenantId": "a59f2feb-41a7-4de4-ad31-8f55cd2d6674",
"tenantName": "warsaw",
"domain": "warsaw.northbound.npav.accedian.net",
"zitadelAuth": true,
"zitadelConfig": {
"authority": "https://auth.northbound.npav.accedian.net:443",
"clients": [
{
"appId": "371739744133983139",
"clientId": "371739744134048675",
"name": "AnalyticsAppM2M"
},
{
"appId": "371739744217869219",
"clientId": "371739744217934755",
"name": "AnalyticsUI"
},
{
"appId": "371739744301755299",
"clientId": "371739744301820835",
"name": "Orchestrator"
}
],
"organizationId": "371739743345453987",
"projects": [
{
"name": "Analytics",
"projectId": "371739743714552739"
}
]
}
},
"id": "warsaw",
"type": "tenant-info"
}
}
Phase 3: Complete Configuration in Your API Client
Step 1. Enter the Required OAuth 2.0 Configuration
- Return to your API client and enter the following values for the Oauth 2.0 configuration:
Note: In this example, the domain name configured for the deployment is npi.npav.accedian.net and the tenant is pca.
| Field | Value |
|---|---|
| Token Name | My Token |
| Grant Type | Authorization Code (With PKCE) |
| Callback URL | https://pca.npi.npav.accedian.net/login |
| Auth URL | https://auth.npi.npav.accedian.net:443/oauth/v2/authorize |
| Access Token URL | https://auth.npi.npav.accedian.net:443/oauth/v2/token |
| Client ID | {Copied Client ID from Step 3} |
| Client Secret | empty |
| Code Challenge Method | SHA-256 |
| Code Verifier | empty |
| Scope | openid profile email offline_access urn:zitadel:iam:org:project:id:{projectId}:aud urn:zitadel:iam:org:project:id:zitadel:aud urn:zitadel:iam:user:resourceowner Note: Replace {projectId} with the Project ID obtained in Phase 2: Obtain Client ID and Project ID from Zitadel. |
| State | empty |
| Client Authentication | Send as Basic Auth header |
Step 2. Obtain an Access Token
-
Click the Get New Access Token button.
A window will appear asking you to log in. -
Log in using your API user's credentials.
-
Click the Use Token button.
Step 3. Send the Request
- Send the request. You will now be authenticated.

© 2026 Cisco and/or its affiliates. All rights reserved.
For more information about trademarks, please visit: Cisco trademarks
For more information about legal terms, please visit: Cisco legal terms