Skip to main content
CryptoHub enforces dual login: a single administrator is not fully authenticated until a second administrator has also logged in within the same session. The two logins share one cookie jar, and the bearer token is only minted once the session is fully logged in.
1

Encode the password

The password is sent base64-encoded in the password field. Generate it once:
PW=$(printf 'your-admin-password' | base64)
2

Log in with dual login

Log in as Admin1, then Admin2, writing to a shared cookie jar (-c writes, -b reads):
Dual login
B=https://localhost:8443
CJ=./ch-admin.cookies

for U in Admin1 Admin2; do
  curl -sk -c "$CJ" -b "$CJ" -X POST "$B/home/v1/login" \
    -H 'Content-Type: application/json' \
    -d "{\"authCredentials\":{\"username\":\"$U\",\"password\":\"$PW\"},\"authType\":\"userpass\"}"
done
The first login responds with fullyLoggedIn: false; after the second login the session is complete:
Second login response (truncated)
{
  "message": "Success",
  "response": {
    "fullyLoggedIn": true,
    "hardened": false,
    "management": true,
    "perms": ["CertManage:Inject", "Crypto:Decrypt", "Keys", "..."]
  }
}
3

Mint a bearer token

Now exchange the fully logged-in session for a bearer token:
Mint the bearer token
TOKEN=$(curl -sk -c "$CJ" -b "$CJ" "$B/home/v1/login/token" \
  | python3 -c 'import sys,json;print(json.load(sys.stdin)["token"])')
GET /home/v1/login/token response (truncated)
{
  "message": "Success",
  "status": "Success",
  "token": "eyJhbGciOiJIUzI1NiIsImtpZCI6IjI1NDQ5IiwidHlwIjoiSldUIn0.eyJ..."
}
For the remaining steps, send the token as a bearer header. Keep the cookie jar too, as some hosts accept either:
AUTH=(-H "Authorization: Bearer $TOKEN")
A subsequent read-only call such as GET /api/v2/x509/cert-profiles/stubs should return HTTP 200 with "success": true. If you receive HTTP 401 or "errorCode": "InvalidAuthToken", the token has expired; repeat this step to mint a fresh one.