Consume internal API as an application¶
This how-to guides you through the steps required to consume an API secured with Entra ID as an application (or a machine user). This is also known as the machine-to-machine (M2M) or client credentials flow.
Prerequisites¶
- The API you're consuming has granted access to your application
Configure your application¶
Enable Entra ID in your application:
Depending on how you communicate with the API you're consuming, configure the appropriate outbound access policies.
Acquire token¶
Now you can request a new token for the API that you want to consume.
Send a HTTP POST request to the endpoint found in the NAIS_TOKEN_ENDPOINT environment variable.
The request must have a Content-Type header set to either:
application/jsonorapplication/x-www-form-urlencoded
The body of the request should contain the following parameters:
| Parameter | Example Value | Description |
|---|---|---|
identity_provider |
azuread |
Always azuread. |
target |
api://<cluster>.<namespace>.<other-api-app-name>/.default |
The intended audience (target API or recipient) of the new token. |
Your application does not need to validate this token.
Tokens are automatically cached by default
The endpoint will always return a cached token, if available. The endpoint will never return an expired token.
To forcibly get a new token, set the skip_cache property to true in the request.
This is only necessary if the token is denied by the target API, for example if permissions have changed since the token was issued.
Consume API¶
Once you have acquired a new token, you can finally consume the target API by using the token as a Bearer token:
