How to Create AuthToken to access TaskList API incase of Self Managed Deployment


I want to explore the graphql tasklist restapi of Camunda 8.

Not sure how to get the access token in case of self managed deployment.


I am running Camunda 8 platform as a self managed deployment where I have elastic, zeebe, tasklist running on my laptop.

I was going through the article - tasklist REST API Overview | Camunda Platform 8 and wanted to invoke the API’s through POSTMAN.

Since its a self managed deployment,

what should be the inputs for below parameters to get the authentication token ?

  "client_id": "<client-id>",
  "client_secret": "<client-secret>",
  "audience": "<audience>",
  "grant_type": "client_credentials"

I am trying to fetch the token by invoking a POST method to url - http://localhost:26500/oauth/token. I hope the url is correct.

Thanks in advance

Hey @hari_kiran!
Maybe it is worth to try and run the Camunda 8 docker-compose.yaml and see if it is going to work with that one. It include Zeebe, Tasklist, Operate and ElasticSearch without any IAM and Security.

I am also wondering how you obtained the source code for Tasklist? As far as I am concerned the code is not available to public.

Let me know if you make any progress with this approach!

Hi @Hafflgav , I’m sorry, I mis-written it as code, I actually downloaded the binaries from Release Camunda Platform 8.0.0 · camunda/camunda-platform · GitHub

I have a windows laptop and hence cannot run the docker on this one. Any other approach that you can suggest that I should try ?

@hari_kiran you should be able to run docker on windows.

Thanks @Hafflgav

I also found another way.

As mentioned in this article: Getting Started with Camunda Platform 8’s GraphQL API - Camunda we can invoke the tasklist login service to fetch the session id and use it in the further api calls to fetch the data.

We are able to use the session id returned in the above call in the further api calls as below.

Hope others find this useful as well.


1 Like

Hey @hari_kiran!
Thanks for posting this :slight_smile:

Just a little addition: If you use Camunda Identity and Keycloak this is authentication is not possible. So make sure to only use the core components when doing so. :slight_smile:

1 Like

Hi @hari_kiran ,

From my understanding, if you don’t have keycloak installed, what you have done in postman is the right way to call Tasklist API.

Once you have keycloak installed you can use the keyclock token endpoint to get the access token and add the token to your request header in the following format:

Authorization: Bearer <access_token>

The keycloak token endpoint by default should be:

Token_endpoint: ${issuer}/protocol/openid-connect/token

And basically you can have 2 ways to get the access token:

  1. grant_type: client_credentials

    content-type: x-www-form-urlencoded
    client_id: <client_id>
    client_secret: <client_secret>
    grant_type: client_credentials 
    audience: <client audience>  # tasklist in this case
  2. grant_type: password

    content-type: x-www-form-urlencoded
    client_id: <client_id>
    client_secret: <client_secret>
    grant_type: client_credentials 
    username: demo   #users in keycloak or identity
    password: demo

I’m not sure if this is the recommended way to directly interact with keycloak for access token, but it does work for me. So far I couldn’t find any API exposed by Identity to get the access token.


This seems the way to go for now but i’m wondering how are you handling the TASKLIST_SESSION cookie? Right now I’m able to obtain the bearer token from the keycloak instance but when i’m trying to call the graphql api i’m seeing a redirect and as far as i can tell that’s because of the missing cookie on the request.


1 Like

hello @bulivlad , did u find a way to get the cookies ? thanks

Hey, I know it sounds silly but there is no need to get the cookie to call the graphql endpoint. All you need is to make sure there is a trailing slash at the end of the url.
When calling http://[host]/graphql i always get a 400 response saying that i need to authenticate, however when calling http://[host]/graphql/ - note the trailing slash - i get 200 response without using any cookie


Hi @bulivlad, @mazenoddo, @hari_kiran,

I’m trying to validate with the community if the token-based authentication works as expected in the Self-managed environment. Have you tried to authenticate to Tasklist with JWT? Authentication | Camunda Platform 8 Docs
Do you have maybe any suggestions to improve documentation or everything worked well?


hi @aleksander-dytko ,
yes i did the authentication to Tasklist with jwt.
So to start, you have to add an application in identity as per Camunda docs and add permissions to an application for Tasklist API.
In the camunda docs, the jwt token is an ‘App token’ , to get a user token you have to make a POST call to Keyclaok ( check @GgJinFWu response above )

and use the jwt token in your graphql call header ( the token is the “access_token” field in the keycloak post response ).

I had a small issue when claiming a task for example, as per the graphql schema :

claimTask(taskId: String!assignee: String): Task!

Claim a task with taskId to currently logged in user. Returns the task.

I was forced to pass the assignee parameter, the system was not able to detect the assignee from the jwt token ( i think it’s a tasklist exception )

Hi @mazenoddo,

Thanks for the validation, I appreciate your answer!


The JWT token is mainly meant for the m2m communication - so when you have some client application, that uses GraphQL, the token is issued for that application, not for the user. This allows to have one token, not for each user, using it.

Thanks for letting us know though, we’ll clarify this in claimTask | Camunda Platform 8 Docs

@aleksander-dytko how to find the current user using the JWT token of a m2m communication ? I think we need to have a token per user to claim and complete a task