How to log in to service consoles on behalf of another user

The platform provides a way to log in to a service on behalf of another user account without entering its login credentials, using a one-time token. The /idp/ott endpoint allows you to generate a one-time token containing encrypted login-specific data and use it either to log in on behalf of a user account, or to make an external login URL.

Restrictions

The platform enforces the following rules for the /idp/ott endpoint:

  • Only API clients can access this endpoint.

  • A one-time token can be generated for a user account located within the same tenant or its sub-tenants.

  • A one-time token cannot be generated for a user account located in a sub-tenant that has Support access disabled.

Available one-time-token operations

Operation

Methods and endpoints used

Generate an external login URL

GET /idp/external-login
POST /idp/ott

Log in using a one-time token

POST /idp/ott
POST /idp/ott/login