The sign_in resource requests authorization.


This resource sets the authentication cookies required for future requests. A sign_in may fail if there are still valid authentication cookies. The cookies can be reset with a request to sign_out.



Supported HTTP methods

  • POST

Supported authentication methods

Basic authentication

Here are instructions for authenticating using basic authentication.

Basic authentication can be used for accessing the ALM Octane REST API, and OData. You cannot use basic authentication to access the ALM Octane client.

Content-Type header

The Content-Type header is text/plain.


To activate basic authentication, set the value of the SUPPORTS_BASIC_AUTHENTICATION configuration parameter for each space.

For details, see the SUPPORTS_BASIC_AUTHENTICATION configuration parameter.


According to the Basic Authentication specification, the Authorization header token should be sent with each subsequent OData request. The token is based on the encoding of the user name and password, separated by a colon (:), as an octet sequence. This octet sequence is then encoded as Base64.

Example: Authorization: Basic <token>


Send the user name and password in the header.

JSON authentication

Here are instructions for authenticating using JSON authentication.

Content-Type header

The Content-Type header is application/json.


  • For user credentials: Provide a JSON object with the credentials.

    Use this type of payload to work with the API as the site admin.

         "user": "<username>", 
         "password": "<password>" 
  • For API key:

         "client_id": "<client_id>", 
         "client_secret": "<client_secret>" 

Status codes

Status Status code Description
Successful authentication 200 (OK) A cookie with the name LWSSO_COOKIE_KEY is set as a response cookie. See Cookies.
Failed authentication 401 (Unauthorized) Not authenticated.


Upon successful authentication, a cookie with the name LWSSO_COOKIE_KEY is set as a response cookie.

  • This cookie is expected to be sent in each subsequent request.

  • This cookie is the authentication cookie.

  • This timeout of the cookie is 3 hours.

  • The value of this cookie can be refreshed upon specific subsequent call (renewal) of the cookie.

  • If using the refreshed cookie, the timeout is extended.

  • The limit for refreshing the cookie is 24 hours. This means that upon authentication, the original cookie can be refreshed up to 24 hours (if always using the refreshed cookie sent from server).

Note: The LWSSO_COOKIE_KEY expires after 24 hours. When this happens, the session expires, and 401 errors are issued in response to requests. Re-authenticate to continue.

  • A cookie with the name HPSSO_COOKIE_CSRF is sent as a response cookie if specified. By default, this cookie is not sent.

    • If enabled, the value of this cookie must be sent in subsequent requests via the header named HPSSO-HEADER-CSRF.

    • This cookie is useful for prevention of CSRF attacks.

    • To return the HPSSO_COOKIE_CSRF cookie, specify the boolean property enable_csrf with the value true in the payload.

           "user": "<username>",
           "password": "<password>",
           "enable_csrf": true
  • Back to top

    See also: