Anaplan is making updates across our APIs to enhance the security and reliability of our systems. These changes are meant to reduce risk and ensure that your integrations remain stable and supported as we scale.
Field addition to certificate-based authentication
Our certificate-based authentication API requires a new encodedDataFormat field in the request. The value entered should be v2. This ensures that each request is time-specific, improving security, and preventing potential misuse. Also, when the encodedDataFormat is v2, encodedData is prefixed with 8 bytes of timestamp.
If you use our certificate-based authentication API, please work with your technical teams to enable the new field encodedDataFormat into your header along with changes in the contents of encodedData.
Changes
| Field | Usage | Endpoint | Direction |
encodedDataFormat | New field. Value entered should be v2 | /token/authenticate | Request |
Example request payload
{
"encodedDataFormat": "v2",
"encodedData": "AAAAAGhaH7pebU386At+2uv/3lpGFMjzXvyg/9l1/imcrKrbW/jGgC+GBboUEyQ0xNA654rA==",
"encodedSignedData": "dL7D64YlMIk//2Bq9nBN6CwCcM8/tMNAdEY/SQpRrr+YFLZ80/zMrrThuG0xK1qA/ug8vj+i8v/zHQ=="
}
Note: Changes to the certificate-based authentication API don't impact customers on V1 APIs. V2 API customers can begin adopting these updates now. We will send out further communication before these changes become mandatory.
Refresh token added to authentication API response
The token authentication API response includes an additional field called refreshToken. In preparation for JSON Web Token (JWT) support for rolling out signed authentication tokens, a new field/attribute refreshToken is introduced to auth response. This is a long-lived, securely stored token used in JWT authentication to obtain new, short-lived access tokens without requiring the user to log in again. Ensure this field is marked as OPTIONAL and ignore unknowns.
If you use the token authentication API, we recommend checking with your technical team to ensure that your authentication integration can handle the new refreshToken field in the API response. Specifically, if your systems validate the API response, confirm that they'll still accept this field when it's present, if it's not being ignored.
Changes
| Field | Usage | Endpoint | Direction |
refreshToken | Ensure your integrations accept this field | /token/authenticate | Response |
Example response
{
"meta": {
"validationUrl": "https://auth.anaplan.com/token/validate"
},
"status": "SUCCESS",
"statusMessage": "Login successful",
"tokenInfo": {
"expiresAt": 1754089739887,
"tokenId": "9e4daefeb4-6df27-11f0-9013-1dacef4",
"tokenValue": "encoded auth token",
"refreshTokenId": "9e4efadaeb5-6f27-11f0-9013-f6c35678",
"refreshToken": "encoded refresh token"
}
}
For more information, see: https://anaplanauthentication.docs.apiary.io/#.
