Authenticating applications
This page explains how to use user-managed service accounts and their private keys to authenticate an application to the ClearBlade IoT Core API.
You can use applications to administer registries and devices.
Authenticating using service accounts
We require a Google service account only when you create a project. This talks to Google Pub/Sub, Cloud Logs, and Cloud Monitoring.
A user-managed service account is a Google account type that represents an application. User-managed service accounts are primarily used for server-to-API authentication.
This page does not describe service accounts created and owned by Google to manage roles and permissions for different services. For example, when you first enable a project’s ClearBlade IoT Core API, a new service account is automatically assigned a role to enable publishing to Pub/Sub topics. For details, see Creating a device registry.
ClearBlade IoT Core uses two authentication types. When authenticating devices to ClearBlade IoT Core, you use private/public key pairs and JSON Web Tokens.
You need a service account to call the getRegistryCredentials endpoint. You need credentials from a service account to:
Call registriesCreate, registriesList, and registriesDelete. Once you have a service account, you can download those credentials to call these APIs.
Call
getRegistryCredentials
. Once you have a registry’s credentials, you can use them to call all other APIs. E.g., registriesGet, registriesPatch, devicesList, etc.
The SDKs handle calling getRegistryCredentials
, so you just have to supply a service account’s credentials.
The system key, token, and URL (registry keys) are from getRegistryCredentials. They can call the getRegistryCredentials API, and those credentials are used to talk to the registry and its regional APIs.
You can access the API page by going to the registry list, clicking a registry, and clicking the key icon on the top right.
This API keys page calls getRegistryCredentials: