Acquia CDP

API Authentication Mechanism

To effectively utilize the Rest API endpoint, you must set up the user authentication that enables you to self-service the desired implementation. The choice of user authentication mechanism in the integration depends on the purpose of implementation, such as upstream or downstream data. 

To set up the Webtag user authentication method, contact Acquia support.

User roles 

The user role levels determine the setup of the authentication access mechanism. After you create a user, CDP generates an authorized bearer token. You can access the Tracker API through the bearer token, push upstream payloads to the Tracker API, and pull downstream payloads from the Tracker API.

The following are the user roles:

  • Integration Users: These are self-service users that you can create through Self-service Integration.

  • 360 Profile Users: These are self-service users that you can create through integration.

  • Webtag Service Users: These are users that you cannot create through self-service integration. To create these users, contact Acquia support.


The following are the features of the API authentication mechanism:

  • Creation of user account roles: You can create up to five Integration, 360 Profile, and Webtag Service users.

  • Rotation of bearer tokens for authentic users: Authenticated users can request a rotation for up to three available tokens for the production environment, which are PROD and UAT tenants. For the development environment, which is a CS tenant, the authentic user can request a rotation for up to five available tokens. When you request a new token, CDP disables the previously used tokens and enhances security by preventing the misuse of old tokens.

  • Extension of current bearer token: Authenticated users can extend the validity of the currently invoked token. This is useful when you need the token for a longer duration beyond the API policy.

  • Deletion of a bearer token: You can delete the current token or specify a particular token for deletion. This provides control over the token lifecycle and can be a critical aspect of managing access and security.

  • Wiping all invoked bearer tokens and resetting: Authenticated users can wipe all invoked and used tokens. This is a comprehensive way to ensure that no old tokens remain active, enhancing the overall security posture and resetting their authentic user status back to 0 tokens invoked.