Skip to content

Consume internal API as an application

This how-to guides you through the steps required to consume an API secured with Entra ID:

  1. Configure your application
  2. Acquire token from Entra ID
  3. Consume the API using the token

Prerequisites

Configure your application

Enable Entra ID in your application:

app.yaml
spec:
  azure:
    application:
      enabled: true

Depending on how you communicate with the API you're consuming, configure the appropriate outbound access policies.

Use webproxy for outbound network connectivity from on-premises environments

If you're on-premises, you must enable and use webproxy to access Entra ID.

Acquire token

Request a new token for the API that you want to consume:

Token request
POST ${AZURE_OPENID_CONFIG_TOKEN_ENDPOINT} HTTP/1.1
Content-Type: application/x-www-form-urlencoded

client_id=${AZURE_APP_CLIENT_ID}
&client_secret=${AZURE_APP_CLIENT_SECRET}
&scope=api://<cluster>.<namespace>.<other-api-app-name>/.default
&grant_type=client_credentials
Successful response
{
  "access_token" : "eyJ0eX[...]",
  "expires_in" : 3599,
  ...
}

Your application does not need to validate this token.

Token Caching

The expires_in field denotes the lifetime of the token in seconds.

Cache and reuse the token until it expires to minimize network latency impact.

A safe cache key for client credentials tokens is key = $scope.

Consume API

Once you have acquired the token, you can finally consume the target API.

Use the token in the Authorization header as a Bearer token:

GET /resource HTTP/1.1

Host: api.example.com
Authorization: Bearer eyJraWQ...

📚 Entra ID reference