Using the Authentication (ASPXAUTH) Token

The most important element of a successful response to /SecurityAdvanceAuthentication is the .ASPXAUTH cookie, which contains an authentication token. The server generates this unique code, and your client application must store it. The token is used to grant the client authenticated access to resources ( CyberArk Identity endpoints) on behalf of the user. That is, the token provides the server with proof that each subsequent API call is being made on behalf of a user who has already been authenticated. In web applications, including Postman, the browser might retain this code as a cookie and automatically pass it along to the server.

If you select this option, populate the remaining configuration elements (listed below) and then proceed to
Create a Confidential Client

If your calls are being invoked by server code you must manually pass the token as a Bearer token. Create a new header in the web request for the next API call, called Authorization and set its value to ‘Bearer ’.

Consider the following example, where the client has received the authentication token. The client then invokes the /UPRest/GetUPData endpoint to obtain a list of applications that are deployed for the authenticated user.


Content-Type: application/json
Authorization: Bearer 6936714B84F54...

        "Username": "[email protected]"

In this example, the client includes the ASPXAUTH cookie in header called Authorization.

With this information, the client can invoke this request on behalf of the user.

To execute this request in Postman:

  1. Click Cookies in the response section to verify that the response from /Security/AdvanceAuthentication contains an .ASPXAUTH cookie for your tenant. You must have this cookie before you can execute subsequent calls in Postman on behalf of the user you just authenticated:
  1. Select the POST request type in the list and enter the endpoint URL:
  1. Select the Headers tab and enter each header on a separate line.
  1. Select the Body tab and enter the JSON.
  2. Click Send to execute the request.

For more information about the ASPXAUTH token see Using the Authentication Token.

CyberArk Identity Authentication postman collection
To try the CyberArk Identity Authentication on your existing/free trial tenant, play with the postman collection.
Authentication Quick Start Postman Collection

Postman collection documentation

Create a Confidential Client

Note: the user interface and workflow described in this section will change significantly in the near future.

If you selected Confidential as the web application Client ID Type during configuration, continue with this procedure. To authorize a confidential client (that is, a client that provides a client ID and client secret), you must create a user entity representing the confidential client.

  1. Navigate to Core Services > Users to display the Create CyberArk Identity Directory User screen.
  2. Click Add User.
  3. Enter the application's client ID into the Login Name field.
  4. Enter values into the Email Address and Display Name fields. Confidential clients do not use these values, but they are required in order to satisfy the required fields of the user form.
  5. Enter the application's client secret into the Password and Confirm Password fields.
  6. Navigate to the Status section at the bottom and enable Is OAuth confidential client.
  7. Click Create User. A confidential client who specifies the client ID and secret can now authorize against your CyberArk Identity Tenant.