Authentication
TigerGraph’s RESTful APIs communicate with either the REST++ server on port 9000 or the GSQL server on port 14240. Each server uses different methods of authentication.
REST++ Server Requests
TigerGraph REST++ endpoints are public by default: anyone with access to the HTTP ports of the TigerGraph server can run your endpoints. When REST++ authentication is enabled, then a valid authorization token must be included in the header.
The REST++ server implements OAuth 2.0-style authorization as follows:
-
Each user can create one or more secrets (unique pseudorandom strings). Each secret is associated with a particular user and the user’s privileges for a particular graph.
-
Anyone who has this secret can invoke a special REST endpoint to generate authorization tokens (other pseudorandom strings).
-
An authorization token can then be used to perform TigerGraph database operations via other REST endpoints. Each token will expire after a certain period of time. The TigerGraph default lifetime for a token is 1 month.
Using Tokens
Once REST++ authentication is enabled, a valid token should always be included in the HTTP header. If you are using curl to format and submit your REST++ requests, then use the following syntax:
curl -X GET -H "Authorization: Bearer <token>" '<request_URL>'Here is a sample request:
curl -X GET -H "Authorization: Bearer 01234567abcdefgh01234567abcdefgh" "http://localhost:9000/graph/socialNet/vertices/User?limit=3"GSQL Server Requests
All requests made to the GSQL Server must be accompanied by your user credentials. You can use the curl -u option to pass in the username and password of the TigerGraph user:
curl -X GET -u <username>:<password> "http://localhost:14240/<path_to_endpoint>To keep your credentials more secure, one way to avoid having the user name and password on the command line is to instead use a .netrc file or a config file. If you are in interactive mode, you can also use the -u option without specifying the password, and then curl will prompt for the password.