Skip to main content

REST API authorization and authentication

When programming with the Lenovo XClarity Administrator REST APIs, you must authenticate using a user ID and password. The user ID must have the correct authorization to perform the intended task.

You can use Lenovo XClarity Administrator web interface or CLI to configure the authorizations that provide access to Lenovo XClarity Administrator tasks and resources (see Managing user accounts).

Note
If you encounter a temporary HTTP connection error, attempt to log in to Lenovo XClarity Administrator again.
Important
When running automated scripts:
  • This method returns the CSRF token in the csrf property in the response header.

    When using Python, update the X-Csrf-token field in the request header with ${response.session.csfr}. No additional action is required because the cookies will be set automatically.

    When using Curl, update the csrf field in the request header with ${response.session.csrf} (see the following example) No additional action is required because the cookies will be set automatically.
    curl --location 'https://${LXCAIP}/sessions' \
    --header 'Cookie: JSESSIONID=${response.session.id}; csrf=${response.session.csrf};
    inactivityTimeout=${response.session.inactivityTimeout}; user=${response.session.UserId};'

    If you want to set the cookies manually, iterate through the Set-Cookie headers from the response, save them to the local system, and add them to the request header for afterward requests. You also need to add the X-Csrf-token field with a value of ${response.session.csfr} to the request header of each request.

  • This method also returns the inactivityTimeout field in the response header. The session times out based on the inactivity timeout value, which is set to 1440 minutes (24 hours). If the session times out, the session is not renewed, although active requests for uploading and downloading data are not canceled.

    If you want the session to respect the inactivity timeout, add the X-NOT-USER-INPUT field with a value of checkSession to the request header of each request. Adding this header implies that the session times out based on the inactivity timeout value. If the session times out, the session is not renewed, although active requests for uploading and downloading data are not canceled.

Important
When running automated scripts, you can use session parameters to log in to the management server using POST /sessions.
  • This method returns the CSRF token in the csrf property in the response header.

    When using Python, update the X-Csrf-token field in the request header with ${response.session.csfr}. No additional action is required because the cookies will be set automatically.

    When using Curl, update the csrf field in the request header with ${response.session.csrf} (see the following example) No additional action is required because the cookies will be set automatically.
    curl --location 'https://${LXCAIP}/sessions' \
    --header 'Cookie: JSESSIONID=${response.session.id}; csrf=${response.session.csrf};
    inactivityTimeout=${response.session.inactivityTimeout}; user=${response.session.UserId};'

    If you want to set the cookies manually, iterate through the Set-Cookie headers from the response, save them to the local system, and add them to the request header for afterward requests. You also need to add the X-Csrf-token field with a value of ${response.session.csfr} to the request header of each request.

  • This method also returns the inactivityTimeout field in the response header. The session times out based on the inactivity timeout value, which is set to 1440 minutes (24 hours). If the session times out, the session is not renewed, although active requests for uploading and downloading data are not canceled.

    If you want the session to respect the inactivity timeout, add the X-NOT-USER-INPUT field with a value of checkSession to the request header of each request. Adding this header implies that the session times out based on the inactivity timeout value. If the session times out, the session is not renewed, although active requests for uploading and downloading data are not canceled.