Back to App

API

Authentication

OAuth2, MSAL, and API key authentication

Overview

The Confluent Self-Service API uses Microsoft Entra ID (formerly Azure AD) for authentication and authorization. This ensures secure, enterprise-grade access control for all API operations.

All API endpoints require a valid OAuth2 access token, except for public documentation pages.

Authentication Flow

The API supports the OAuth 2.0 Authorization Code flow with PKCE:

  1. Initiate Login: Navigate to the login endpoint or click "Sign in" in the UI
  2. Microsoft Authentication: You'll be redirected to Microsoft's login page
  3. Consent: Grant the application permission to access your profile
  4. Token Exchange: The application receives an access token
  5. API Access: Use the access token to authenticate API requests

Authorization

Access to resources is controlled through Entra ID groups:

Business Unit Access

Users are assigned to business unit groups that determine which Kafka resources they can access. Each business unit has isolated environments (dev, qas, run).

Admin Access

Members of the daai-platform-admin group have elevated privileges including cross-business-unit access and configuration management.

API Authentication

Include the access token in the Authorization header for all API requests:

Authorization: Bearer <your-access-token>

Access tokens are valid for a limited time. The UI automatically handles token refresh, but API consumers should implement token renewal logic.

Command Line Authentication

When using the command line, you can obtain an access token using the Azure CLI.

Using Your Personal Account

# Ensure Azure subscription is set correctly
az account set --subscription <subscription>

# Login using your personal credentials
az login --tenant <TENANT_ID>

# Get access token
MY_SECRET_TOKEN=$(az account get-access-token \
    --resource api://a04e29d3-8f55-44c3-8f9d-15172eab76a9 \
    --query accessToken -otsv)

# Make API request (update URL with actual endpoint)
curl -X GET \
    https://<URL>/<business_unit>/<stage>/topics \
    -H "Authorization: Bearer $MY_SECRET_TOKEN" | jq .

Using a Service Principal

# Ensure Azure subscription is set correctly
az account set --subscription <subscription>

# Login using service principal credentials
# <application_id> is the client_id
# <password> is the client_secret
az login --service-principal \
    -u <application_id> \
    -p <password> \
    --tenant <TENANT_ID>

# Get access token
MY_SECRET_TOKEN=$(az account get-access-token \
    --resource api://a04e29d3-8f55-44c3-8f9d-15172eab76a9 \
    --query accessToken -otsv)

# Make API request (update URL with actual endpoint)
curl -X GET \
    https://<URL>/<business_unit>/<stage>/topics \
    -H "Authorization: Bearer $MY_SECRET_TOKEN" | jq .

Note

Replace <subscription>, <URL>, <business_unit>, and <stage> with your actual values.

Security Best Practices

  • Never share or expose your access tokens
  • Use HTTPS for all API communications
  • Store tokens securely and never in client-side code
  • Implement token refresh before expiration
  • Log out when finished to invalidate your session
Back to top

About

Confluent Self-Service is part of the E.ON BRAIN platform, providing business units with governed access to Kafka streaming resources. Manage topics, connectors, and schemas through a secure, multi-tenant interface backed by Microsoft Entra ID authentication.

Links

Service & Contact

Esc