Sending authenticated calls for external users

When a caller application wants to make a system API call for an external user, the caller application must:
  1. Request an authorization code from Guidewire Hub
  2. Use the code to request a JWT from Guidewire Hub
  3. Include the JWT with the system API call

Requesting codes and JWTs from Guidewire Hub

For more information on how to request codes and JWTs from Guidewire Hub, refer to Authentication with Guidewire Identity Federation Hub in the Guidewire Cloud Platform documentation set.

Including JWTs with API calls

Once a JWT has been received from Guidewire Hub, it must be sent to PolicyCenter in the request object's Authorization header. The header must use this format:

Authorization: Bearer <token>

Authentication failure error messages

For endpoints that return elements, when a given resource exists but the user lacks authorization to access it, Cloud API throws the following user message. This is the same message that is returned when the resource does not exist.

"status": 404,
        "errorCode": "gw.api.rest.exceptions.NotFoundException",
        "userMessage": "No resource was found at path <path>"

For endpoints that return collections, Cloud API returns all resources that meet the criteria and for which the user has sufficient resource access. If a resource exists, but the user lacks sufficient authorization, Cloud API omits it from the results.

These approaches are considered to be more secure as they prevent malicious callers from being able to verify the existence of data that they are not authorized to access.