IBM Cloud Docs
Security schemes for authentication

Security schemes for authentication

The IBM Log Analysis API supports the following security schemes:

As of 28 March 2024 the IBM Log Analysis and IBM Cloud Activity Tracker services are deprecated and will no longer be supported as of 30 March 2025. Customers will need to migrate to IBM Cloud Logs, which replaces these two services, prior to 30 March 2025.

Service API key authorization

You can use a service key in the header.

This key is used for all APIs with the exception of ingest.

You can obtain a service key by following these instructions and placing the key in the header of your call.

For example, see a sample call:

curl GET https://api.<region>.logging.cloud.ibm.com/v1/config/categories/views \
  -H 'content-type: application/json' \
  -H 'servicekey: <SERVICE_KEY>' \

Ingestion API key authorization

You can use an ingestion key in the header.

You can obtain the ingestion key by following these instructions and placing the key in the header of your call.

For example, see a sample call:

curl "ENDPOINT/logs/ingest?QUERY_PARAMETERS" \
  -H 'content-type: application/json' \
  -H 'ingestionkey: <INGESTION_KEY>' \
  -d "LOG_LINES"

IAM token authorization

This scheme is an alternative to authenticating with a service key in IBM environments.

You can use a bearer access_token that you obtain from the IAM Identity Services API.

The token that you get has an expiration time.

This token must also be sent with the cloud-resource-name header to identify which account you are accessing. To get the CRN, see Retrieving your instance ID and cloud resource name (CRN)

For example, a sample cURL looks like:

curl https://api.<region>.logging.cloud.ibm.com/v1/config/view --header 'Authorization: Bearer [IAM_ACCESS_TOKEN]' --header 'cloud-resource-name: [IBM_INSTANCE_CRN]'

To get the access token, you can run the following:

curl -X POST https://iam.cloud.ibm.com/identity/token -H "content-type: application/x-www-form-urlencoded" -H "accept: application/json" -d "grant_type=urn%3Aibm%3Aparams%3Aoauth%3Agrant-type%3Aapikey&apikey=<APIKEY>"

Basic authentication

As an alternative to authenticating with a header value, you can also use basic authentication.

You can use either an apiKey or a servicekey as basic authentication. Simply pass the key as the username with no password.

For example, see the following sample when using a service key:

curl https://api.<region>.logging.cloud.ibm.com/v1/config/view -u SERVICE_KEY:

For example, see the following sample when using an ingestion key:

curl "ENDPOINT/logs/ingest?QUERY_PARAMETERS" -u INGESTION_KEY: --header "Content-Type: application/json; charset=UTF-8" -d "LOG_LINES"