First-Time Configuration for Admin API 2.x
{ "version": "2.0", "build": "2.0.0.0" }
2. Create the First API Client
In order to authenticate with the API you must first register a client key and secret. This is a client for the Admin API, not an Application and key / secret for interfacing with the Ed-Fi ODS / API.
Client registration is done by sending a url-encoded form request to /connect/register.
The ability to register new clients is similar to adding users in Admin App. By default, this endpoint is only available when no clients have been created. After the first client is created, the endpoint is disabled. The endpoint can be re-enabled with the Authentication/AllowRegistration
setting or environment variable (false
by default). Please use long and complex strings for client id and client secret to safeguard the credentials for Admin API.
Only Enable Registration When Necessary
Since the /connect/register
endpoint does not require any authentication, it is recommended that it remains disabled when not registering a new client. Admin API does not include any scope limitations, so all clients are able to utilize all endpoints.
The sample below is using curl,
however this request can be performed from Postman, the Swagger site, or from your application.
curl -X POST https://your-admin-api/connect/register -H "Content-Type: application/x-www-form-urlencoded" -d "ClientId=YourClientId&ClientSecret=YourClientSecret&DisplayName=YourDisplayName"
After registering the client, verify it was created by retrieving an authorization token.
curl -X POST https://your-admin-api/connect/token -H "Content-Type: application/x-www-form-urlencoded" -d "client_id=YourClientId&client_secret=YourClientSecret&grant_type=client_credentials"
This should return a JSON result including a bearer token. Note that the above request does not include a request scope, so the token will be invalid for accessing most endpoints. See Securing Admin API for more info.
{ "access_token": "eyJhbGciOiJIUzI1NiIsInR5cCI6ImF0K2p3dCJ9.eyJzdWIiOiJ0ZXN0MSIsIm5hbWUiOiJ0ZXN0Iiwib2lfcHJzdCI6InRlc3QxIiwiY2xpZW50X2lkIjoidGVzdDEiLCJvaV90a25faWQiOiIzMDU2IiwiZXhwIjoxNjU5NTY5ODc4LCJpc3MiOiJodHRwczovL2xvY2FsaG9zdDo3MjE0LyIsImlhdCI6MTY1OTU2NjI3OH0.W8RMjmGIA-US6faXuG_mbmfbRIDrvrc8QheW5imtj-k", "token_type": "Bearer", "expires_in": 3599 }
Optional - Self-Signed Certificates
If using a self-signed certificate for a developer or other non-production instances of Admin API, add "Encrypt=False" to appSettings.json in the ConnectingStrings section to allow them to function. Below is a screen capture of the error that will display using self-signed certificates. The ASP.NET Core client does not trust these certificates by default and this parameter will allow development environments to continue with self-signed certificates.
Example below:
"ConnectionStrings": { "Admin": "Data Source=.\\;Initial Catalog=EdFi_Admin;Integrated Security=True;Encrypt=False", "Security": "Data Source=.\\;Initial Catalog=EdFi_Security;Integrated Security=True;Encrypt=False" },