Back to top
Home / Knox Cloud Authentication / Tutorial /

Tutorial for customers — Generate access token

Last updated November 9th, 2023

Note

If you’re a third party portal provider and you’d like to make calls to Knox cloud service on behalf of your customers, see the integration guide for EMMs.

Complete these steps to generate your access token using the Knox cloud service APIs.

  1. Register for a Samsung Knox account

    Follow the steps at Create a Samsung Knox account to create a Samsung Knox account.

  2. Apply for Knox Cloud API access by contacting your local Samsung representative. If you can’t get access through a Samsung Knox representative, please create a support ticket. To submit a support ticket:

    1. Log in to the Knox Admin Portal.
    2. Under Support & dev resources, click Submit/view tickets.
    3. In the dialog that’s shown, click SUBMIT A SUPPORT TICKET.

  3. Generate your key pair from the Knox Cloud API portal:

  4. From the portal, generate a public/private key pair called keys.json by clicking Download. This is a JSON file that contains the following information. It only needs to be generated once:

    • Public key — Key that is sent in the body of the access token REST API and stored by Samsung Knox to validate signed requests.
    • Private key — Key that should be stored and never revealed. This key is used for signing the Client Identifier and the Access Token returned by the REST API call. This key is not stored by Samsung Knox and we will never request it from you.

    * Access to Knox Cloud API portal is supported by the following browsers — Chrome, Firefox, Safari, and Microsoft Edge. In order to get the best possible Knox Cloud API experience, upgrade your preferred browser to the latest version.

  5. Generate your unique Client Identifier from the Knox Cloud API portal. This unique identifier only needs to be generated once, unless either:

    1. Privileges need to be changed.
    2. The Client Identifier is lost or stolen.

    In both cases, re-generating the Client identifier invalidates the previous one.

    Knox Cloud API portal client identifier

  6. Get the support files

    This solution is designed for a Java environment (v1.6 and above). Download the JAR and README files.

    Download JAR 
    $ npm install knox-token-library-js

    Get the NuGet package.

    Download nupkg

  7. Sign your Client Identifier with the token utility supplied above. See the source code below on how to sign your Client Identifier. For more information on using this utility jar, refer to the included README file in the JAR file download package.

    String clientId = "myClientId";String cert = "src/test/resources/keys.json";String signedClientId = KnoxTokenUtility.generateSignedClientIdentifierJWT(new FileInputStream(cert),clientId);
    const knoxTokenLibraryJs = require('knox-token-library-js');var clientId = "<insert-Client-Identifier-Step-3>";var signedClientId = knoxTokenLibraryJs.generateSignedClientIdentifierJWT("keys.json", clientId);
    using knoxAPIUtility;var cert = "<insert path to keys.json>";var clientId = "<insert-Client-Identifier-Step-3>";var signedClientId = KnoxTokenUtility.generateSignedClientIdentifierJWT(cert, clientId);

  8. Generate your access token by calling the accesstoken REST API with your signed clientId and public key. The signed Client Identifier should be set as the value to clientIdentifierJwt in the request body of the accesstoken REST API. You can also set the token valid time between 1 — 30 minutes. The valid time is set to 30 minutes by default.

    For example:

    curl -X POST <Knox-AccessToken-Endpoint> -H 'Content-Type: application/json' -d {"clientIdentifierJwt": "signedClientId","base64EncodedStringPublicKey": "myPublicKey"}'

  9. Sign your accesstoken with your private key, using the utility JAR file as seen below.

    String accessToken = "myAccessToken";String signedAccessToken = KnoxTokenUtility.generateSignedAccessTokenJWT(new FileInputStream(cert),accessToken);
    var accessToken = "<insert-access-token>"var signedAccessToken = knoxTokenLibraryJs.generateSignedAccessTokenJWT("keys.json", accessToken );
    var accessToken  = "<insert-access-token>"var signedAccessToken =KnoxTokenUtility.generateSignedAccessTokenJWT(cert, accessToken );

    The signed accesstoken expires after its valid time runs out. Once that happens it returns the 403225 error code.

  10. Enter your access token in the x-knox-apitoken header parameter of your Knox cloud service API request. See the API reference for your Knox cloud service for details.

    Here is an example of how to detect when the access token expires, get a fresh access token, and call a Knox Cloud Service API again.

    // Expired access token error codestatic String ACCESS_TOKEN_EXPIRED = "4032251";try {    // Call Knox cloud service API    callKnoxCloudService(signedAccessToken);} catch (Exception exception) {    String responseBodyAsString = ((HttpClientErrorException) exception).getResponseBodyAsString();    // Get error code value    JsonNode code = new ObjectMapper().readTree(responseBodyAsString).get("code");    // If error code matches expired access token error code, generate another token    if (code.asText().equalsIgnoreCase(ACCESS_TOKEN_EXPIRED)) {        // Generate a new access token by calling accesstoken API (Step 6)        accessToken = getAccessToken(signedClientId, publicKey);        // Sign your new access token (Step 7)        signedAccessToken = KnoxTokenUtility.generateSignedAccessTokenJWT(new FileInputStream(<insert path to keys.json>), accessToken)    }}

Is this page helpful?