Access API Operate : JWT payload validation failed

Hello,
This is about Camunda Cloud version 8 that I’m testing for a a specific project
I would like to integrate the Camunda Cloud version 8 as backend in my application architecture using its API

Using the document, I create a client ID and initiate a oauth connection to the url https://login.cloud.camunda.io/oauth/token. This works and I received the Bearer token.
By using the Public API of the service Operate using the bearer token to search for process definition, I use the url given by the console

I received the following message JWT payload validation failed. So I suppose that the token generated by the oauth connection is not the right one. I don’t find in the documentation any clue about this problem
Could you please guide me ?
Thanks in advance
Olivier

Hi @Oli_Pot,

Welcome to Camunda Forum!

@ralfpuchert do you know what might be an issue here?

Thanks,
Alex

Hi @Oli_Pot ,
This error message means that the Bearer token is not valid. I can imagine the audience for getting the bearer token is wrong.

Can you give me following information, please:

  1. Which version of Operate do you use?
  2. Which parameters did you use to get the Bearer token (except client_id and client_secret).

This looks like this in JSON format:

{
"client_id": "g6HlaZncAqRu5...",
"client_secret": "7g3iZnEvMkr...",
"audience": "operate.ultrawombat.com",
"grant_type": "client_credentials"
}

Thanks and best regards,
Ralf

Hello @ralfpuchert,
Thanks for your help, effectively the bearer token was not valid
When I create the client API, I see that the token audience is zeebe.camunda.io. Based on your answer, I suspect that this is not the good one :wink:

I’m not sure if it’s the right info you need but “the client ID screen” specified that I use this version
Zeebe 8.2.0-alpha2; is it the info that you expect ?
Thanks in advance for your support
Best Regards,
Olivier

Hello @Oli_Pot ,
Thanks for the version information. I wanted it in case of errors.

Could you please try to get a Bearer token by using operate.camunda.io ? In the API Operate documentation you can see an example:

Hope this helps,

Best,
Ralf

Hello @ralfpuchert,

I tried your proposition, my mistake was to use the info “audience” in the file CamundaCloudMgmtAPI-Client-olipote received by CamundaCloud instance when I created the client API. I was not clear for me.
However, I tried it with the audience that you proposed : operate.camunda.io and I have the same error message, I also tried dsm-1.operate.camunda.io, that is the URL proposed in the file it doesn’t work too… Just for your information, the postman collection for the POST request doesn’t mention an API version like your example, but I suppose that it’s because this is the selfhost solution…
If you need more input, don’t hesitate …
Best
Olivier

Hello @Oli_Pot ,

Can you describe in more detail how you get the Bearer token and how you use it?
Can you also try the following procedure (with Postman, I can also provide curl commands):

  1. Get a Bearer token
    POST https://login.cloud.camunda.io/oauth/token
{
"client_id": "g6HlaZncAqRu5...",
"client_secret": "7g3iZnEvMkr...",
"audience": "operate....",   <- Use the audience you found in file CamundaCloudMgmtAPI-Client-olipote but replace zeebe with operate
"grant_type": "client_credentials"
}

You should get a response like this:

{
    "access_token": "eyJhbGciOiJSUz.....", "scope":"b6...",
...
  1. Us the field value access_token in response as Bearer token for request operate API
    POST https://<your-operate-url-in-cloud>/v1/process-instances/search
{}

You should get a response like this:

{
    "items": [
        {
            "key": 2251799813685292,
            "processVersion": 1,
            "bpmnProcessId": "Process_b1711b2e-ec8e-4dad-908c-8c12e028f32f",
...

Thank you.
Best regards,

Ralf

Hello @ralfpuchert ,

I works !
with the v1 in the url. This was the problem
thanks for your support
Now I can continue to analyse the API
Best Regards,
Olivier

1 Like

Hai @ralfpuchert ,
I followed this process for token generation and request operate API, still I am getting ‘JWT payload validation failed’. I am using camunda 8 saas (zeebe8.3.0-alpha 1 cluster).
Best Regards,
Vijay

Hi @vijayababu_Kunche,

Can you please provide following information (except the sensible parts)

  • How you obtained the JWT token? (requests)
  • How do you request the API with the token (request)

Thank you,
Ralf

Hai @ralfpuchert ,
Thanks for your reply,

I got the Bearer token by sending ‘Post’ request using URL ‘https://login.cloud.camunda.io/oauth/token’.
Values passed in post request body are

  • client_id :" ",
  • client_secret: " ",
  • audience :“api.cloud.camunda.io”, -->I got that by creating API in console
  • grant_type: “client_credentials”.
  1. I requested the API by sending ‘Post’ request URL “https://camunda_operate_url_in_cloud/v1/process-instances/search” and token.

Best,
Vijay.

Hello @vijayababu_Kunche ,

I assume you got a token response like this:

{
    "access_token": "eyJhbGciOiJSUzI1NiIsInR5c....cnnR36IiKniFhCWigWRfJ4uJw",
    "scope": "c5149035-.....9d5",
    "expires_in": 86400,
    "token_type": "Bearer"
}

Then I searched process instances. It is important to give a payload. The simplest one is an ‘empty’ payload ‘{}’ Here the example request as curl command:

curl --location 'https://<cluster-url>/v1/process-instances/search' \

--header 'Content-Type: application/json' \

--header 'Authorization: Bearer eyJhbGciOi....fJ4uJw' \

--data '{ }'

I got back a response like this:

{
    "items": [
        {
            "key": 2251799813685370,
            "processVersion": 1,
            "bpmnProcessId": "Process_b1711b2e-ec8e-4dad-908c-8c12e028f32f",
            "startDate": "2023-05-04T09:53:33.582+0000",
            "state": "ACTIVE",
            "processDefinitionKey": 2251799813685366
        },
       ....
    ],
    "sortValues": [
        2251799813685554
    ],
    "total": 5123
}

So it works as expected.

Can you please check your request whether it has a payload and also the headers? Otherwise please tell me your specific request. Maybe something is missing.

Thanks,

Ralf

Hai @ralfpuchert ,
Thanks for the help,

This is how I am generating token

and My post request for process instances is like this


In body–>raw I passed empty data {}.

In process instance post request URL if I used cluster URL —> I’m getting “401 authorization required” or
if I used operate URL ----> I’m getting “JWT payload validation failed”.

Thank you,
Best regards,
Vijay.

As mentioned earlier in this thread, the audience for operate is operate.camunda.io not api.cloud.camunda.io

Hi @vijayababu_Kunche,

I think you are getting a token for the console-api.
In order to get a token for Operate API please try the the operate prefix in the audience field.

Example:

{
 "client_id" : "client-id",
  ...
 "audience":  "operate.camunda.io",
 "grant_type": "credentials"
}

Best regards,
Ralf

1 Like

Hai @ralfpuchert ,
Thank you,

It’s working with the change of audience and using Operate URL in operate Post request .
Thanks for your support.

Best Regards,
Vijay.