Application Accounts

Overview

Application accounts (service accounts) let you run server-to-server workflows with OAuth 2.0 client credentials. Tokens issued for these accounts carry the role and ABAC scopes configured when the account was created, so they enforce the same permissions as user tokens.

Prerequisites

  • Access to the Bloomeo web app and the permissions to create application accounts.
  • The application account’s clientId and clientSecret. The secret is only shown once when you create the account.
  • The Cognito domain for your environment (for example app.auth.eu-west-3.amazoncognito.com).
  • The API host you will call (for example api.app.bloomeo-app.com).
  • Scope: bloomeo-services/all.

Create an application account

  1. In the Bloomeo web app, open Configuration → Users → Application accounts.
  2. Click Create application account, fill the name/description, pick the role, and choose the ABAC toggles you need.
  3. After creation, copy the clientId and clientSecret. Store them securely (password manager, secret store). If the secret is lost, delete the account and create a new one to rotate credentials.
Warning

Keep the client secret private. Tokens minted with the secret inherit the permissions of the associated role.

Exchange client credentials for an access token

Set your credentials as environment variables to avoid leaking secrets in shell history:

CLIENT_ID="<CLIENT_ID>"
CLIENT_SECRET="<CLIENT_SECRET>"
COGNITO_DOMAIN="app.auth.eu-west-3.amazoncognito.com" # replace with your Cognito domain

curl -X POST "https://${COGNITO_DOMAIN}/oauth2/token" \
  -H "Content-Type: application/x-www-form-urlencoded" \
  -d "grant_type=client_credentials&client_id=${CLIENT_ID}&client_secret=${CLIENT_SECRET}&scope=bloomeo-services/all"

Example response:

{
  "access_token": "eyJ...",
  "expires_in": 3600,
  "token_type": "Bearer"
}

Call Bloomeo APIs with the token

Use the access token as a Bearer token in API calls. Example creating a tag:

ACCESS_TOKEN="<ACCESS_TOKEN_FROM_PREVIOUS_STEP>"
API_HOST="api.app.bloomeo-app.com" # replace with your API host

curl -X POST \
  "https://${API_HOST}/core/bloomeo-tag" \
  -H "accept: application/json" \
  -H "Authorization: Bearer ${ACCESS_TOKEN}" \
  -H "Content-Type: application/json" \
  -d '{
  "value": "variableTag",
  "type": "VARIABLE",
  "context": "agronomic"
}'
Tip

Tokens are typically valid for one hour (expires_in). Request a new token with the same client credentials when the token expires. Rotate the client secret if you suspect it has been exposed.