How to authenticate and generate a JWT(bearer token) for Harness without a browser

Howdy folks!

This quick how-to article will go over in some detail, a method to generate a bearer token, also known as a JWT(JSON Web Token), from the Harness authentication endpoint for local login for either SaaS or Self-managed(on-premise) environments.

Note: This how-to article only covers attaining the bearer token utilizing Harness local login(default authentication mechanism), and/or LDAP for SSO. Since SAML v2 SSO requires interacting with an external identity provider, the method can vary greatly for each scenario and is not covered here.

Why would we want to generate a bearer token you ask?

This allows you to access the majority of the publicly facing API endpoints for Harness to perform any given operations as a specific user of your choice, which is particularly helpful from an automation standpoint.

Typically these tokens are found in two places, one being in the JSON response immediately following successful basic authentication to harness user login endpoint, or in the headers of subsequent requests made to harness API endpoints via your browser. In the past, we have recommended grabbing the bearer token(JWT) from the browser developer console or similar method, as found here:

However, we have received several requests around automating generation of the JWT, so I felt it might be nice to shed some light on the subject and offer an example of how one can grab the bearer token without any excessive manual user interaction.

First, an example shell script that will generate a new token each time it is executed(note: this script works for SaaS for on-premise versions of Harness):

#!/bin/bash

user="[email protected]"
pass="Tester123"
host="app.harness.io"


  b64auth=`printf "$user:$pass" |base64`
  auth=${b64auth%Cg==}

echo -n "Generating bearer token..."

token=`curl -s -X POST -H 'content-type: application/json' -d "{\"authorization\":\"Basic $auth\"}" https://$host/gateway/api/users/harness-local-login |jq '.resource.token'`

  [[ $token == "null" ]] && echo "[FAIL]" || echo "[OK]"

# Strip additional characters from JWT

cleantoken=`echo $token | sed 's/"//g'`

echo "Token = $cleantoken"



The above example script(bash), has three items/variables required to attain the bearer token in the script(username, password, and manager host).

Note: For authenticating via LDAP/SSO, you would need to manually update the endpoint to reflect /gateway/api/users/login.

Once these are defined and the script is run, example output:

From here you now have a bearer token(JWT) with an expiry of 24 hours, unless you generate a new token and/or login/logout with the previously used username, then the old token would expire. As previously mentioned, you can use this token to access a plethora of harness API endpoints, which can be found in our documentation. I hope someone finds this helpful, any questions I did not answer feel free to ask in the comments, thanks!

2 Likes