Automate MFT uses Private Key JWT (PKJWT) as its authentication model for all API access. Clients authenticate by creating and signing a short‑lived JSON Web Token (JWT) with their private key and presenting it to Automate MFT’s token endpoint. Once the JWT is validated, Automate MFT issues a temporary access token that the client uses to call the API.

The process consists of three steps: Create and sign a JWT → Exchange it for an access token → Call the API using that token.
  1. Create and sign a JWT.
    Build a short‑lived JWT and sign it with your private key. Include:
    • aud (audience): the token endpoint URL, https://api.region.mft.progress.com/v1/oauth/token
    • exp (expiration): ≤ 10 minutes from now
    • iat (issued At) and nbf (not before)
    • jti (JWT ID): unique identifier for replay protection
    • iss (issuer): your tenantId
    • sub (subject): your tenantId
    Tip: your tenantId can be found on the Automate MFT Pland and Usage page.
    Set the JWT header kid to the API key ID you saved when you created the method.
  2. Exchange the signed JWT for an access token.
    Send the JWT to the token endpoint using a standard OAuth‑style POST:
    grant_type=client_credentials
client_assertion_type=urn:ietf:params:oauth:client-assertion-type:jwt-bearer
client_assertion=your-signed-JWT

    The response includes an access_token to use with the APIs.

  3. Call the APIs.
    Include the access token in the Authorization header for each request:
    Authorization: Bearer access_token

For a sample Python script with some examples of its use, see API endpoints.