Can we hit Cumulocity APIs with bootstrap credentials of microservice

Product/components used and version/fix level:

Cumulocity Production

Detailed explanation of the problem:


  1. Is it possible to access the Cumulocity APIs with the bootstrap credentials of my microservice?
  2. In SDK, we pass bootstrap credentials so How do you access the APIs with these credentials since they dont work directly?



see Stefans Response to your previous thread here:

The bootstrapuser is just for retrieving the service user for each tenant. I think I made this clear now multiple times. You should not use that in any other API Call of your microservice (even when it is working). The service user permissions are defined in your manifest file.

Hi Korbinian,

That is fine but I need to understand the process here. Can’t we expose the “service user” credentials and use rest API call internally?

Everything is well documented here:

What is missing from your perspective? For what purpose do you want to expose the service user credentials outside of the microservice context? Of course you can do that but security-wise it is still a high risk because the service user has all the rights which are defined in the microservice manifest…

Hi Stefan,

When we provide a value to the required interval field, a availability fragment is created for that specific M.O. Now when we are trying to send update the fragment it is not working because of that “header” in SDK. So, if we get the user credentials, we can do a rest API call and send an empty put call which will make sure that the request is coming from a device as you suggested in different post.


Uhhh this is way too complicated for what you wanted to achieve. It’s much easier.
See here for an example using restTemplate:

Just adapt that to the inventory API and you can freely define which headers are sent or not also you get the required credentials via the context service which can be autowired into your service:

private ContextService<MicroserviceCredentials> contextService;

headers.set("Authorization", contextService.getContext().toCumulocityCredentials().getAuthenticationString());
1 Like

Hi Stefan,

We have implemented what you said and it worked in local but after deployment we are getting errors. It is not able to pull the image and the service is unhealthy. Could you please help how we can resolve this issue? If any extra roles required for this "context service*.