How to retrieve a user token from Nexus using REST

To address security concerns of exposing a user's company login information, Nexus Professional includes a  "User Token" authentication method.

The User Token concepts are explained in the Nexus Book User Token section.

Retrieving a User Token For a Specific User Using REST

There is a REST API that can be used to get a user's user token. First make sure the User Token feature is enabled. Then, it takes two steps to get a user's token via REST.

First you need to generate a single use access token to gain access to the REST resource which will return the User Token for the user.

Send a POST request with the regular username and password Basic Authorization headers and base64 encoded payload values:

  • Nexus 2.7+: http://localhost:8081/nexus/service/siesta/wonderland/authenticate
  • Nexus 2.0-2.6x: http://localhost:8081/nexus/service/local/usertoken/authenticate

Once you get the single use access token from the response, make a GET request which includes Basic Authentication headers to fetch the actual "User Token" value.

  • Nexus 2.7+: http://localhost:8081/nexus/service/siesta/usertoken/current
  • Nexus 2.0-2.6x: http://localhost:8081/nexus/service/local/usertoken/current

When calling the current endpoint, you'll need to set a special Nexus specific header as part of the GET request. The header value is the single use access token from the authenticate response. The header name is:

  • Nexus 2.7+: X-NX-AuthTicket
  • Nexus 2.0-2.6.x: X-NX-UserToken-AuthTicket

Single use tokens are only valid for a maximum of 20 seconds by default. This means the current resource must be accessed within 20 seconds from obtaining the single use token.

Why must Basic Authentication credentials be provided which match the payload credentials?

The authenticate resource will return a 400 HTTP status code if the Basic Authentication credential username does not match the decoded payload username.

The reasoning is that an access token for user A should only be issued to an authenticated user A. In the UI, this is modelled by a dialog which prompts for credential verification before exposing a user token.

After an access token is issued, it represents the principal and so the basic authentication prevents impersonating another user with an access token.

Example Using Curl

First base64 encode the user ID and password using the "base64" command line tool:

> echo -n "admin" | openssl base64
> echo -n "admin123" | openssl base64

Then get a single use token for admin user using POST data and Basic Authentication:

> curl -H "Accept: application/json" -H "Content-Type: application/json" --data '{"u":"YWRtaW4=","p":"YWRtaW4xMjM="}' -u admin:admin123 http://localhost:8081/nexus/service/siesta/wonderland/authenticate
  "t" : "gnwEA5/maPV3sGYrROcqISmbL2+/YzMwADHIshNxB+7sPnHy6dTpE8Isolv3f4PSOxiiNwPWmVdCqpFPBNsJiX4I"

Use the single use token in a special header to GET the current user token using Basic Authentication for the same user in the first request:

> curl -H "Accept: application/json" -H "Content-Type: application/json" -H "X-NX-AuthTicket: gnwEA5/maPV3sGYrROcqISmbL2+/YzMwADHIshNxB+7sPnHy6dTpE8Isolv3f4PSOxiiNwPWmVdCqpFPBNsJiX4I" -u admin:admin123 http://localhost:8081/nexus/service/siesta/usertoken/current
  "nameCode" : "8I034iTW",
  "passCode" : "EraLxqQei3DO9fjcTTAO9fvKU9t7EaliZIzjolDnAv37",
  "created" : "2014-01-28T17:17:07.701+0000"

You can find more information about how to use the REST API in general here:

Have more questions? Submit a request


  • 0
    NGSA Vanguard

    A complete example using wget or curl would be very useful

  • 0
    Kumaresan (suspended)

    The command to get single token throws attached error. I have tried all the possibilities. Please advise


    Nexus version 2.11.4


  • 0
    Peter Lynch

    We are closing this article for comments.

    If you have a support license, please contact us by submitting a support ticket.

    If you do not have a support license, please use our Nexus Users List or our other free support resources.

Article is closed for comments.