Generate personal access tokens

While the OAuth application created in the previous lesson handles user-delegated authorization, Red Hat Developer Hub (Developer Hub) often requires a persistent, long-lived credential to perform background tasks like catalog synchronization or health checks. Relying solely on interactive user logins can lead to synchronization gaps when sessions expire.

Personal access tokens (PATs) act as "keys" that allow Developer Hub to maintain a continuous, authenticated connection to the Red Hat Ansible Automation Platform API. With these tokens in hand, you are ready to move from manual configuration to automated, cross-platform synchronization.

Prerequisites:

• You must have administrative access to a Red Hat OpenShift Container Platform cluster.
• Install the OpenShift command-line interface (CLI) and Kustomize locally.
• A valid Red Hat subscription is required.
• Install Ansible Automation Platform, Keycloak, and Developer Hub operators and run the base instances on your cluster (Lesson 1).
• Create and configure the Red Hat build of Keycloak client for SSO (Lesson 2).
• Integrate Ansible Automation Platform with the Red Hat build of Keycloak (Lesson 3).
• Create a confidential OAuth application and enable the skip_authorization flag (Lesson 4). 

In this lesson, you will:

• Generate a scoped API token linked to your OAuth application.
• Capture, store, and refresh the token for use in Developer Hub configuration.

Generating personal access tokens

A personal access token (PAT) is a user-scoped token that is not tied to any specific OAuth application. This is useful for direct API access, automation scripts, or testing purposes where you need simple authentication without OAuth. Unlike application tokens, PATs do not require specifying an application parameter. Create a PAT with the following: 

TOKEN_RESPONSE=$(curl -sk -X POST \
  "${AAP_URL}/api/gateway/v1/tokens/" \
  -u "admin:${AAP_PASSWORD}" \
  -H "Content-Type: application/json" \
  -d '{
    "description": "RHDH PAT",
    "scope": "write"
  }')
AAP_PAT=$(echo $TOKEN_RESPONSE | jq -r '.token')
echo "AAP_PAT=$AAP_PAT" >> .env

Method 1: The Ansible Automation Platform UI

If you prefer to use UI: 

1. Log into Ansible Automation Platform as an administrator.
2. Click on your username in the top-right corner.
3. Select User Details from the dropdown menu.
4. Navigate to the API Tokens tab (Figure 1).
5. Click the Create API token button.
6. Fill in the token details:
   1. Description: RHDH Integration Token (or any meaningful name).
   2. Scope: Select Write (allows read and write operations).
   3. Application: Select the OAuth application you created earlier (e.g., “RHDH Integration”).
7. Click Create.
8. Important: The generated token will only be displayed once. You must copy it immediately. 

9. Save the token in your .env file:

   AAP_TOKEN=<your-generated-token>
   REFRESH_TOKEN=<your-generated-token>

Method 2: Ansible Automation Platform API

You can also generate tokens programmatically:

1. Get the application ID:

   APP_ID=$(curl -sk "${AAP_URL}/api/gateway/v1/applications/" \
     -u "admin:${AAP_PASSWORD}" \
     -H "Content-Type: application/json" | \
     jq -r '.results[] | select(.name=="RHDH Integration") | .id')

2. Generate a new token for the application: 

   TOKEN_RESPONSE=$(curl -sk -X POST \
     "${AAP_URL}/api/gateway/v1/tokens/" \
     -u "admin:${AAP_PASSWORD}" \
     -H "Content-Type: application/json" \
     -d '{
       "description": "RHDH Integration Token",
       "scope": "write",
       "application": "'"${APP_ID}"'"
     }')

3. Extract the token:  

   AAP_TOKEN=$(echo $TOKEN_RESPONSE | jq -r '.token')
   REFRESH_TOKEN=$(echo $TOKEN_RESPONSE | jq -r '.refresh_token')
   echo "AAP_TOKEN=$AAP_TOKEN" >> .env
   echo "REFRESH_TOKEN=$REFRESH_TOKEN" >> .env

Success! You’ve generated the persistent credentials required for programmatic interaction between your platforms.