# Authentication

## Get Dex client credentials

> Returns a map of Dex client IDs to their secrets. Use the value for key \`kubernetes\` as the \`client\_secret\` in the next step.\
> \
> \*\*Prerequisite\*\*: You must first obtain a Keystone token. See the \[Keystone Authentication]\(<https://docs.platform9.com/api-docs/identity-service/authentication#post-auth-tokens>) page for details.<br>

```json
{"openapi":"3.0.3","info":{"title":"Authentication","version":"v1"},"servers":[{"url":"https://{du-name}-{region}.{du-domain}","variables":{"du-name":{"default":"pcd","description":"Short name of the PCD-V deployment unit"},"region":{"default":"r1","description":"Region code"},"du-domain":{"default":"example.com","description":"Domain suffix of the deployment unit"}}}],"paths":{"/resmgr/v2/dexclients":{"get":{"summary":"Get Dex client credentials","operationId":"getDexClients","description":"Returns a map of Dex client IDs to their secrets. Use the value for key `kubernetes` as the `client_secret` in the next step.\n\n**Prerequisite**: You must first obtain a Keystone token. See the [Keystone Authentication](https://docs.platform9.com/api-docs/identity-service/authentication#post-auth-tokens) page for details.\n","parameters":[{"name":"x-auth-token","in":"header","required":true,"description":"Keystone token obtained from `/keystone/v3/auth/tokens`.","schema":{"type":"string"}}],"responses":{"200":{"description":"Map of client ID to client secret.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/DexClientMap"}}}},"401":{"description":"Missing or invalid Keystone token.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/Error"}}}}}}}},"components":{"schemas":{"DexClientMap":{"type":"object","description":"Map of Dex client ID to client secret. Each key is a `client_id`; the corresponding value is its `client_secret`.\n","additionalProperties":{"type":"string"}},"Error":{"type":"object","properties":{"message":{"type":"string"},"code":{"type":"integer"}}}}}}
```

## Get a Dex JWT (id\_token)

> Exchange your username/password and the Dex \`client\_secret\` (from the previous step) for a short-lived Dex JWT.\
> \
> The \`id\_token\` in the response is the Bearer token required for all PCD-K Cluster API calls:\
> \`\`\`\
> Authorization: Bearer \<id\_token>\
> \`\`\`\
> \
> A \`refresh\_token\` is also returned. Use it with \`grant\_type=refresh\_token\` to renew your \`id\_token\` without re-entering your password.<br>

````json
{"openapi":"3.0.3","info":{"title":"Authentication","version":"v1"},"servers":[{"url":"https://{du-name}-{region}.{du-domain}","variables":{"du-name":{"default":"pcd","description":"Short name of the PCD-V deployment unit"},"region":{"default":"r1","description":"Region code"},"du-domain":{"default":"example.com","description":"Domain suffix of the deployment unit"}}}],"paths":{"/dex/token":{"post":{"summary":"Get a Dex JWT (id_token)","operationId":"getDexToken","description":"Exchange your username/password and the Dex `client_secret` (from the previous step) for a short-lived Dex JWT.\n\nThe `id_token` in the response is the Bearer token required for all PCD-K Cluster API calls:\n```\nAuthorization: Bearer <id_token>\n```\n\nA `refresh_token` is also returned. Use it with `grant_type=refresh_token` to renew your `id_token` without re-entering your password.\n","requestBody":{"required":true,"content":{"application/x-www-form-urlencoded":{"schema":{"$ref":"#/components/schemas/TokenRequest"}}}},"responses":{"200":{"description":"Token issued. Use `id_token` as the `Authorization: Bearer` value on Cluster API calls.\n","content":{"application/json":{"schema":{"$ref":"#/components/schemas/TokenResponse"}}}},"400":{"description":"Invalid request — wrong grant type, missing fields, or bad credentials.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/OAuthError"}}}},"401":{"description":"Invalid client credentials (`client_id` / `client_secret` mismatch).","content":{"application/json":{"schema":{"$ref":"#/components/schemas/OAuthError"}}}}}}}},"components":{"schemas":{"TokenRequest":{"type":"object","required":["grant_type","client_id","client_secret"],"properties":{"grant_type":{"type":"string","enum":["password","refresh_token"],"description":"`password` for initial login; `refresh_token` to renew using a previously issued refresh token.\n"},"client_id":{"type":"string","description":"Always `kubernetes`."},"client_secret":{"type":"string","description":"The `client_secret` for the `kubernetes` client from `/resmgr/v2/dexclients`."},"scope":{"type":"string","description":"Space-separated OIDC scopes. Use `openid offline_access groups email profile` to receive a refresh token and group claims.\n"},"username":{"type":"string","description":"PCD-V / Keystone username (email). Required for `password` grant."},"password":{"type":"string","description":"PCD-V / Keystone password. Required for `password` grant."},"connector_id":{"type":"string","description":"Dex connector to authenticate against. Use `default` for the standard Keystone connector."},"refresh_token":{"type":"string","description":"The refresh token from a previous response. Required for `refresh_token` grant."}}},"TokenResponse":{"type":"object","properties":{"access_token":{"type":"string","description":"OAuth 2.0 access token (not used directly by the Cluster API)."},"token_type":{"type":"string","description":"type of token. eg. 'bearer'"},"id_token":{"type":"string","description":"OIDC ID token (JWT). This is the value to pass as `Authorization: Bearer <id_token>` on all PCD-K Cluster API requests.\n"},"refresh_token":{"type":"string","description":"Long-lived refresh token. Store securely and use with `grant_type=refresh_token` to renew the `id_token` without re-entering your password. Only returned when `offline_access` scope is requested.\n"},"expires_in":{"type":"integer","description":"Lifetime of the `id_token` in seconds (typically 86399 — ~24 hours)."}}},"OAuthError":{"type":"object","properties":{"error":{"type":"string","description":"OAuth 2.0 error code."},"error_description":{"type":"string","description":"Human-readable error description."}}}}}}
````


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.platform9.com/api-docs/kubernetes-service/authentication.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.