Help Center/ Identity and Access Management/ API Reference/ API/ Token Management/ Obtaining a User Token Through Password Authentication

Updated on 2025-03-28 GMT+08:00

View PDF

Obtaining a User Token Through Password Authentication

Function

This API is used to obtain a user token using the username and password. A token is an access credential issued to an IAM user to bear its identity and permissions. When calling the APIs of IAM or other cloud services, you can use this API to obtain a user token for authentication. However, you are advised to call APIs through AK/SK-based authentication to prevent API calling failures caused by invalid cached tokens.

The API can be called using either a global endpoint or a region-specific endpoint. For IAM endpoints, see Regions and Endpoints.

Before using this API, check the identity to be used to obtain the token.

Figure 1 Methods of obtaining tokens for different identities
Click to enlarge

Obtaining a token as an IAM user
Obtain a token based on the request parameters.
Obtaining a token using a HUAWEI ID
A HUAWEI ID cannot be directly used to obtain a token. Check whether your account is a HUAWEI ID by referring to How Do I Know What Account I Am Logged In With?

To obtain a token, you need to create an IAM user, assign required permissions to the user, and use the IAM username and password to obtain a token.
Obtaining a token using a Huawei Cloud account
Obtain a token based on the request parameters.
Obtaining a token as a third-party system user
A third-party system user cannot directly obtain a token by using the username and password used for identity federation. Instead, you should go to the Huawei Cloud login page, click Forgot Password, and reset the password. Then you can use the new password to obtain a token.

To obtain a token using Postman, see How Do I Obtain a User Token Using Postman?

Constraints

The validity period of a token is 24 hours. Cache the token to prevent frequent API calling. Ensure that the token is valid before you use it. Using a token that will soon expire may cause API calling failures. Obtaining a new token does not affect the validity of the existing token.
The token will become invalid within 30 minutes if any of the following occurs:
- The IAM user is deleted or disabled.
- The IAM user's password or access key is changed.
- The IAM user's permissions are changed (for example, due to outstanding payments, OBT application approval, or permission modification).
If The token must be updated is returned when a token is used to call a cloud service API, the token has expired. You need to obtain a new token.
Whether a token can be tampered with: Token signature verification ensures that a token has not been tampered with by validating its signature.

Debugging

You can debug this API in API Explorer.

URI

POST /v3/auth/tokens

**Table 1** Query parameters
Parameter	Mandatory	Type	Description
nocatalog	No	String	If this parameter is set, no catalog information will be displayed in the response. Any non-empty character string set for this parameter will be interpreted as true and indicate that no catalog information will be displayed.

Request Parameters

**Table 2** Parameters in the request header
Parameter	Mandatory	Type	Description
Content-Type	Yes	String	Set this parameter to application/json;charset=utf8.

**Table 3** Parameters in the request body
Parameter	Mandatory	Type	Description
auth	Yes	Object	Authentication information.

**Table 4** auth
Parameter	Mandatory	Type	Description
identity	Yes	Object	Authentication parameter.
scope	Yes	Object	Application scope of the token. Value options: project and domain. NOTE: If the scope is set to domain, the token applies to global services. If the scope is set to project, the token applies to project-level services. If the scope is set to both project and domain, the project is used and you get a token for project-level services. If the scope is left blank, you get a token for global services. You are advised to specify this parameter.

**Table 5** auth.identity
Parameter	Mandatory	Type	Description
methods	Yes	Array of strings	Authentication method. Set this parameter to ["password"].
password	Yes	Object	Password authentication information of an IAM user. NOTE: View your username and account name on the My Credentials page. For details, see Obtaining Account, IAM User, Group, Project, Region, and Agency Information. This API uses a lockout mechanism to prevent brute force cracking. Ensure that the username and password are correct when calling this API. If you enter the username and password incorrectly for a certain number of times, the account will be locked.

**Table 6** auth.identity.password
Parameter	Mandatory	Type	Description
user	Yes	Object	Information about the IAM user who requests for the token.

**Table 7** auth.identity.password.user
Parameter	Mandatory	Type	Description
domain	Yes	Object	Information about the account used to create the IAM user. For details about the relationship between accounts and IAM users, see Relationship Between an Account and Its IAM Users.
name	Yes	String	IAM username.
password	Yes	String	Password of the IAM user. NOTE: To obtain a token successfully, ensure that the password you provide is correct. If your Huawei Cloud account has been upgraded to a HUAWEI ID, you cannot obtain a token using the HUAWEI ID. Instead, you can create an IAM user, grant the user required permissions, and obtain a token as the user. If you are a user of a third-party system, you cannot obtain a token by using the username and password that you use for federated identity authentication. Go to the Huawei Cloud login page, click Forgot Password, and reset the password.

**Table 8** auth.identity.password.user.domain
Parameter	Mandatory	Type	Description
name	Yes	String	Account name. For details about how to obtain the account name, see Obtaining Account, IAM User, Group, Project, Region, and Agency Information.

**Table 9** auth.scope
Parameter	Mandatory	Type	Description
domain	No	Object	If this parameter is set to the domain, the token can be used to access global services, such as OBS. Global services are not subject to any projects or regions. For details about the service scope, see System-defined Permissions. The domain can be an ID (recommended) or name.
project	No	Object	If this parameter is set to the project, the token can only be used to access services (such as ECS) in specific projects. For details about the service scope, see System-defined Permissions. The project can be an ID or name.

**Table 10** auth.scope.domain
Parameter	Mandatory	Type	Description
id	No	String	Account ID. For details about how to obtain the account ID, see Obtaining Account, IAM User, Group, Project, Region, and Agency Information. If auth.scope is set to domain, the obtained token can be used for global services. Either id or name must be specified.
name	No	String	Account name. For details about how to obtain the account name, see Obtaining Account, IAM User, Group, Project, Region, and Agency Information. If auth.scope is set to domain, the obtained token can be used for global services. Either id or name must be specified.

**Table 11** auth.scope.project
Parameter	Mandatory	Type	Description
id	No	String	Project ID. For details about how to obtain the project ID, see Obtaining Account, IAM User, Group, Project, Region, and Agency Information. If auth.scope is set to project, the obtained token can be used for project-level services. Either id or name must be specified. The project ID varies depending on the region where the service is located.
name	No	String	Project name. For details about how to obtain the project name, see Obtaining Account, IAM User, Group, Project, Region, and Agency Information. If auth.scope is set to project, the obtained token can be used for project-level services. Either id or name must be specified.

Example Request

Request for obtaining a token for an IAM user (username: IAMUser, password: IAMPassword, account name: IAMDomain, scope: project ap-southeast-1) without displaying catalog information in the response. You can obtain the IAM username and account name on the My Credentials page of the console. For details, see Obtaining Account, IAM User, Group, Project, Region, and Agency Information.

POST https://iam.myhuaweicloud.com/v3/auth/tokens?nocatalog=true

{
    "auth": {
        "identity": {
            "methods": [
                "password"
            ],
            "password": {
                "user": {
                    "domain": {
                        "name": "IAMDomain"        // Name of the account used to create the IAM user
                    },
                    "name": "IAMUser",             // IAM username
                    "password": "IAMPassword"      // IAM user password
                }
            }
        },
        "scope": {
            "project": {
                "name": "ap-southeast-1"               //Project name
            }
        }
    }
}

Request for obtaining a token for an IAM user (username: IAMUser, password: IAMPassword, account name: IAMDomain, scope: domain) You can obtain the IAM username and account name on the My Credentials page of the console. For details, see Obtaining Account, IAM User, Group, Project, Region, and Agency Information.

POST https://iam.myhuaweicloud.com/v3/auth/tokens

{
    "auth": {
        "identity": {
            "methods": [
                "password"
            ],
            "password": {
                "user": {
                    "domain": {
                        "name": "IAMDomain"        // Name of the account used to create the IAM user
                    },
                    "name": "IAMUser",             // IAM username
                    "password": "IAMPassword"      // IAM user password
                }
            }
        },
        "scope": {
            "domain": {
                "name": "IAMDomain"        // Name of the account used to create the IAM user
            }
        }
    }
}

Response Parameters

**Table 12** Parameters in the response header
Parameter	Type	Description
X-Subject-Token	String	Signed token, which is less than 32 KB.

**Table 13** Parameters in the response body
Parameter	Type	Description
Token	Object	Token information.

**Table 14** Token
Parameter	Type	Description
catalog	Array of objects	Catalog information.
domain	Object	Account information about the IAM user who requests for the token. This parameter is returned only when the scope parameter in the request body has been set to domain.
expires_at	String	Time when the token will expire. NOTE: The value is a UTC time in the YYYY-MM-DDTHH:mm:ss.ssssssZ format, for example, 2023-06-28T08:56:33.710000Z. For details about the date and timestamp formats, see ISO-8601.
issued_at	String	Time when the token was issued. NOTE: The value is a UTC time in the YYYY-MM-DDTHH:mm:ss.ssssssZ format, for example, 2023-06-28T08:56:33.710000Z. For details about the date and timestamp formats, see ISO-8601.
methods	Array of strings	Method for obtaining the token.
project	Object	Project information about the IAM user. This parameter is returned only when the scope parameter in the request body has been set to project.
roles	Array of objects	Permissions information of the token.
user	Object	Information about the IAM user who requests for the token.

**Table 15** Token.catalog
Parameter	Type	Description
endpoints	Array of objects	Endpoint information.
id	String	Service ID.
name	String	Service name.
type	String	Type of the service which the API belongs to.

**Table 16** Token.catalog.endpoints
Parameter	Type	Description
id	String	Endpoint ID.
interface	String	Visibility of the API. public indicates that the API is available for public access.
region	String	Region which the endpoint belongs to.
region_id	String	Region ID.
url	String	Endpoint URL.

**Table 17** Token.domain
Parameter	Type	Description
name	String	Account name.
id	String	Account ID.

**Table 18** Token.project
Parameter	Type	Description
domain	Object	Account information about the project.
id	String	Project ID.
name	String	Project name.

**Table 19** Token.project.domain
Parameter	Type	Description
id	String	Account ID.
name	String	Account name.

**Table 20** Token.roles
Parameter	Type	Description
name	String	Permission name.
id	String	Permission ID. The default value is 0, which does not correspond to any permission.

**Table 21** Token.user
Parameter	Type	Description
name	String	IAM username.
id	String	IAM user ID.
password_expires_at	String	Password expiration time. If this parameter is not specified, the password will never expire. NOTE: The value is a UTC time in the YYYY-MM-DDTHH:mm:ss.ssssssZ format, for example, 2023-06-28T08:56:33.710000Z. For details about the date and timestamp formats, see ISO-8601.
domain	Object	Information about the account used to create the IAM user.

**Table 22** Token.user.domain
Parameter	Type	Description
name	String	Name of the account used to create the IAM user.
id	String	ID of the account used to create the IAM user.

Example Response

Status code: 201

The request is successful.

Response to the request for obtaining a token for an IAM user (username: IAMUser, password: IAMPassword, account name: IAMDomain, scope: project ap-southeast-1) without displaying catalog information in the response

Parameters in the response header (obtained token)
X-Subject-Token:MIIatAYJKoZIhvcNAQcCoIIapTCCGqECAQExDTALB...

Parameters in the response body
{
    "token": {
        "catalog": [],
        "expires_at": "2020-01-04T09:05:22.701000Z",
        "issued_at": "2020-01-03T09:05:22.701000Z",
        "methods": [
            "password"
        ],
        "project": {
            "domain": {
                "id": "d78cbac186b744899480f25bd022f...",
                "name": "IAMDomain"
            },
            "id": "aa2d97d7e62c4b7da3ffdfc11551f...",
            "name": "ap-southeast-1"
        },
        "roles": [
            {
                "id": "0",
                "name": "te_admin"
            },
            {
                "id": "0",
                "name": "op_gated_Video_Campus"
            }
        ],
        "user": {
            "domain": {
                "id": "d78cbac186b744899480f25bd022f...",
                "name": "IAMDomain"
            },
            "id": "7116d09f88fa41908676fdd4b039e...",
            "name": "IAMUser",
            "password_expires_at": ""
        }
    }
}

Request for obtaining a token for an IAM user (username: IAMUser, password: IAMPassword, account name: IAMDomain, scope: domain)

Parameters in the response header (obtained token)
X-Subject-Token:MIIatAYJKoZIhvcNAQcCoIIapTCCGqECAQExDTALB...

Parameters in the response body
{
    "token": {
        "catalog": [
            {
                "endpoints": [
                    {
                        "id": "33e1cbdd86d34e89a63cf8ad16a5f...",
                        "interface": "public",
                        "region": "*",
                        "region_id": "*",
                        "url": "https://iam.myhuaweicloud.com/v3.0"
                    }
                ],
                "id": "100a6a3477f1495286579b819d399...",
                "name": "iam",
                "type": "iam"
            },
            {
                "endpoints": [
                    {
                        "id": "29319cf2052d4e94bcf438b55d143...",
                        "interface": "public",
                        "region": "*",
                        "region_id": "*",
                        "url": "https://bss.sample.domain.com/v1.0"
                    }
                ],
                "id": "c6db69fabbd549908adcb861c7e47...",
                "name": "bssv1",
                "type": "bssv1"
            }
        ],
        "domain": {
            "id": "d78cbac186b744899480f25bd022f...",
            "name": "IAMDomain"
        },
        "expires_at": "2020-01-04T09:08:49.965000Z",
        "issued_at": "2020-01-03T09:08:49.965000Z",
        "methods": [
            "password"
        ],
        "roles": [
            {
                "id": "0",
                "name": "te_admin"
            },
            {
                "id": "0",
                "name": "secu_admin"
            },
            {
                "id": "0",
                "name": "te_agency"
            }
        ],
        "user": {
            "domain": {
                "id": "d78cbac186b744899480f25bd022f...",
                "name": "IAMDomain"
            },
            "id": "7116d09f88fa41908676fdd4b039e...",
            "name": "IAMUser",
            "password_expires_at": ""
        }
    }
}

Status code: 400

Invalid parameters. Check whether the request body complies with the JSON syntax.

{
    "error": {
        "code": 400,
        "message": "The request body is invalid",
        "title": "Bad Request"
    }
}

Status code: 401

Authentication failed.

If you are a user of a third-party system, you cannot obtain a token by using the username and password that you use for federated identity authentication. Go to the Huawei Cloud login page, click Forgot Password, and reset the password.
If your Huawei Cloud account has been upgraded to a HUAWEI ID, you cannot obtain a token using the HUAWEI ID. Instead, you can create an IAM user, grant the user required permissions, and obtain a token as the user.

{
    "error": {
        "code": 401,
        "message": "The username or password is wrong.",
        "title": "Unauthorized"
    }
}

Status Codes

Status Code	Description
201	The request is successful.
400	Invalid parameters.
401	Authentication failed.
403	Access denied.
404	The requested resource cannot be found.
500	Internal server error.
503	Service unavailable.

Error Codes

None

Troubleshooting

Incorrect username or password: Check whether the entered username and password are correct. If the username and password are correct but the error persists, check whether the account used to obtain a token is a HUAWEI ID. A HUAWEI ID cannot be directly used to obtain a token. You need to create an IAM user, assign required permissions to the user, and use the IAM username and password to obtain a token.
No API access permissions: Before calling an API, ensure that you have enabled programmatic access.

Related Operations

If login protection has been enabled and the verification method has been set to MFA authentication, obtain a token as an IAM user by following the instructions provided in Obtaining a User Token Through Password and Virtual MFA Authentication.
To obtain a token with Security Administrator permissions, see How Do I Obtain a Token with Security Administrator Permissions?

Parent topic: Token Management

Previous topic: Token Management

Next topic: Obtaining a User Token Through Password and Virtual MFA Authentication