You can use the imx/login/<API project name> API method for primary authentication on the API project.
To do this, use the POST HTTP method to send a query containing the following:
{ "Module": "RoleBasedPerson", "User": "<user name>", "Password": "<password>" }
TIP: See the SDK for examples.
Security mechanisms
The API Server uses a security mechanism to prevent cross-site request forgery (XSRF) attacks. This randomly generates a token (XSRF-TOKEN) and sends it to the client in a cookie at login. The client must then transmit the value of this token in an HTTP header (X-XSRF-TOKEN) in each request sent to the server. If this header is missing, the request is terminated with error code 400.
NOTE: If an API request breaks off with an error and indicates an incorrect CSRF protection cookie, check if your browser accepts the cookies sent by the browser.
TIP: You can change the name and path of the cookie and the name of the HTTP header in the Administration Portal. To do this, use the Name of the cookie containing the CSRF protection token issued by the server (XsrfProtectionCookieName) and Path for the CSRF protection cookie (XsrfProtectionCookiePath) configuration keys.
You can also disable CSRF protection in the administration portal (Globally disable CSRF protection tokens (XsrfProtectionDisabled) configuration key). One Identity does not recommend doing this.
For more information about editing configuration keys, see the One Identity Manager Web Application Configuration Guide.