REST API with Checkmk Cloud Edition

rons4 · May 27, 2025, 8:40pm

I use a trial version of the Checkmk cloud edition. It seems I cannot use the REST API and I get this authentication error:

{
  "title": "Unauthorized",
  "status": 401,
  "detail": "Wrong credentials (Bearer header)"
}

This is my sample call:

https://xxxxx.us-east.checkmk.cloud/xxxxx/check_mk/api/1.0/objects/host_config/example.com
Authorization: Bearer xxxxx yyyyy
Accept: application/json

Do you know whether this is a restriction of the trial version? I also cannot create new users.

Thanks a lot in advance.

rons4 · May 28, 2025, 7:10am

I tried a few things and I found a solution.

My guess was that the default user in the cloud trial was not quite ready for the REST API.

This might be a by-design restriction of the cloud trial version? Also, it is not possible in the GUI to create a new user. Might also be a trial restriction?

But, you can access the REST API UI. This is meant for testing the API and I was able to create a new user from there. With this user I can successfully access the REST API. Tricky

creiser · June 3, 2025, 8:03am

Hi Ron,
Apologies for the late reply. In the Checkmk Cloud (SaaS) edition you can only access the REST API via an automation user and its secret. Only automation users’ credentials are known to the site. Credentials of all “password based” users are only known to the AWS IdP (Cognito) and not to the site and hence cannot be used to authenticate REST API calls.

We have pre-configured an automation user called “api_user” that can be used to authenticate REST API calls. You can find it under Setup > Users > Users. Then edit it and specify a secret. Use the secret in the authentication header to authenticate your calls.

Christian

rons4 · June 5, 2025, 4:45pm

Thanks a lot, that helps and is indeed much easier than my approach