Authorization and authentication

We strongly recommend that you use a service account for authentication when you integrate with the SAS Portal API. If necessary, create a service account. Be sure to select JSON as your key type when you create your service account key. Once complete, your service account key is downloaded to your browser's default location. Furthermore, be sure to grant the "Project Owner" role to the service account.

Next, you need to provide your service account authentication as a Bearer token. If you call the SAS Portal API directly, such as by making an HTTP request with cURL, you pass your authentication as a Bearer token in an Authorization header. To obtain a Bearer token with your service account, follow these steps:

  1. Install the gcloud command line tool.
  2. Authenticate to your service account. In the following command, replace ${KEY_FILE} with the path to your service account key file:

    gcloud auth activate-service-account --key-file ${KEY_FILE}
  3. Use your service account to obtain an authorization token:

    gcloud auth print-access-token

    The command returns an access token value.

  4. When you use the API, pass the token value as a Bearer token in an Authorization header. See the following example:

    curl -X GET -H "X-Goog-User-Project: ${CLIENT_PROJECT}" \
     -H "Content-Type: application/json" \
     -H "Authorization: Bearer ${TOKEN}" \

    Set ${CLIENT_PROJECT} to the ID of the Google Cloud Project from which you make the requests, and then set ${TOKEN} to the authorization token.