Authentication
This section covers authentication best practices for IBM Cloud APIs. Other areas of interest include authorization and IBM Cloud's Identity and Access Management (IAM) service.
IBM Cloud APIs MUST comply with OAuth 2.0 authentication standards and accept Bearer tokens provided by IBM Cloud's
IAM service. Service APIs MUST accept authentication information exclusively in the HTTP Authorization header.
Best practices
IBM Cloud APIs MUST accept only platform-standard expiring IAM tokens. These tokens MUST be validated using official IAM libraries. Outside of official IAM libraries, services SHOULD treat tokens as opaque.
APIs SHOULD require authentication, though APIs providing publicly available information such as templates or documentation MAY be made accessible without authentication. The increased risk of denial-of-service attacks MUST be considered and appropriately mitigated for any API accessible without credentials.
Non-expiring credentials such as passwords or raw API keys MUST NOT be accepted in production environments.