BPM, Workflow, and Case

Expand all | Collapse all

REST API Access to BAW

  • 1.  REST API Access to BAW

    Posted Fri July 31, 2020 10:13 AM
    Hi there,
    I am new to BAW and comming from CSD.
    Is there an REST API that I can develop solution similar to Navigator?

    For example: is thera a login endpoint where I can authorize the users and get the token for further calls?

    Thx in advance,


    Ivan Rendulic

  • 2.  RE: REST API Access to BAW

    Posted Fri July 31, 2020 05:25 PM
    Hi Ivan,

    There is a Swagger UI and a REST API Tester generally available at the URLs listed below.

    Swagger -  <BAWSERVER>/bpm/explorer/

    Swagger API Info

    REST API Tester - <BAWSERVER>/bpmrest-ui/BPMRestAPITester/index.jsp

    BAW REST API Knowledge Center


  • 3.  RE: REST API Access to BAW

    Posted Sun August 02, 2020 02:53 PM
    Thank you Zachary,
    I have already discover the first link.
    But for second I did not knew.

    I have still the mistery how to invoke IBM CMIS (aka OASIS) queries on CM (FIleNET). TO get folders and files.
    The second mistery is how to authorize user login via API, the login function is for getting token but not to authorize user.
    It is a strange login method, witout specifiing user credentials, it always return token.
    Maybe is two-phase process , I guess ?


    Ivan Rendulic

  • 4.  RE: REST API Access to BAW

    Posted Sun August 02, 2020 10:16 PM
    Please refer to this article : https://www.ibm.com/support/knowledgecenter/en/SS8JB4/com.ibm.wbpm.main.doc/topics/rrestapi_authcontrol_ovw.html

    Ngan Nguyen

  • 5.  RE: REST API Access to BAW

    Posted Mon August 03, 2020 01:54 AM
    BAW REST APIs described at (1) Swagger -  <BAWSERVER>/bpm/explorer/ and (2) REST API Tester - <BAWSERVER>/bpmrest-ui/BPMRestAPITester/index.jsp can only be invoked by authenticated users.

    Both support
    - basic authentication (HTTP header "Authorization: Basic .....")
    - authentication cookie (LtpaToken2 by default)

    (1) additionally requires the client to invoke a system/login API to obtain a CSRF token. This token is unrelated to authentication, but protects against Cross Site Request Forgery as it cannot be obtained cross origin. When the /system/login API is invoked, it will return a token for the currently authenticated user.

    When you build a custom UI that causes the browser to send REST requests to these APIs, you need to ensure that the user is already authenticated with BAW (has a valid authentication cookie) AND in cases CSRF protection using REFERER and Origin headers is configured in https://www.ibm.com/support/knowledgecenter/en/SS8JB4_20.x/com.ibm.wbpm.imuc.doc/topics/rsec_harden_properties.html your origin must be whitelisted.

    When BAW is integrated with User Management Service or any other OpenID Connect provider, you can also obtain tokens from that IdP and send them as Bearer tokens.

    Jens Engelke