Sometimes the End User of the calling application also needs to be known for a call to be properly processed. In those situations, an OAuth system can be used to authenticate the end user and provide credentials to the backend Web API Service. Temporarily, Google can provide this OAuth information as the Campus Identity team works on implementing an OAuth provider specific for our campus needs.

Security Overview Diagram

Where To Get It

Using your UCSB Google Account (, you can create an account at If you do this, you may be asked for your credit card information. While you can avoid putting in your credit card, please be assured that nothing you will do to create application credentials through this process will cause your card/account to be charged for any services.

Google's platform has soo many new features and improvements that it's hard to keep documentation up to date. Because of that, please follow the guidance that Google provides on using OAuth2 for their services. (


Infrequently, some call require that client application also send across information about the end user who's actually using the application to be sent to the backend Web API Service as a JWT header.

Using the example, on Students - Students, click on the Authorize button:

accessing the employee map API

Enter your API Key information. Follow the Security - API Key Usage guidance if needed. Enter your Basic Auth information. Follow the Security - Basic Authentication guidance if needed.

Next, click on /students/v2/students/current to expand the operation and see it's details. On the right side, click on Try it out in order to make the ucsb-user-jwt field editable.

entering your basic authentication

Fill in the ucsb-user-jwt field with a valid JWT token from Google OAuth, and click Execute to try out the request.

You should receive a response similar to this:

    "perm": "1234567",
    "firstName": "AAAAAA",
    "lastName": "ZZZZZZZ",
    "suffix": null,
    "email": ""

Note: The above response is fictitious because there is no perm 1234567.

cURL Output

For completeness, you can scroll down to the cURL area to view the full HTTP Request sent via cURL.

curl -X GET "" -H "accept: application/json" -H "ucsb-user-jwt: eyJhbGciOiJSUzI1NiIsImtpZCI6IjQ2M2ZlNDgwYzNjNTgzOWJiYjE1ODYxZTA4YzMyZDE4N2ZhZjlhNTYiLCJ0eXAiOiJKV1QifQ.eyJpc3MiOiJodHRwczovL2FjY291bnRzLmdvb2dsZS5jb20iLCJhenAiOiI4ODUwMjQwNTE3MDgtMnFzbGFlajIybmR0OHJndDJiMzY1ZTBiZTBodGZibGouYXBwcy5nb29nbGV1c2VyY29udGVudC5jb20iLCJhdWQiOiI4ODUwMjQwNTE3MDgtMnFzbGFlajIybmR0OHJndDJiMzY1ZTBiZTBodGZibGouYXBwcy5nb29nbGV1c2VyY29udGVudC5jb20iLCJzdWIiOiIxMTI0MDU1NDI2NDQ1OTE1OTQ1MzEiLCJoZCI6InVjc2IuZWR1IiwiZW1haWwiOiJzbWFnbGlvQHVjc2IuZWR1IiwiZW1haWxfdmVyaWZpZWQiOnRydWUsImF0X2hhc2giOiJzQVNCb0lCYlZBV1haX3dWZHh6TkZRIiwiaWF0IjoxNTQzNDUxMTA5LCJleHAiOjE1NDM0NTQ3MDl9.FCchJ_fiOlkDQyVEd5lI7l5s1zcBV3srUW3U8sMqbdc4X55vn21GMjm8P2kl_sDMsvY75He22BiiWaTzJiM8iPS-oTyQ1u2avlDAYpM0hPyorVTVnvKyJW68EWlzRjM7ENsMk-nvOsLqp67JNA0Tp2TKNYnJ4z4q8LPYGg9BG_O3GGZqTnR3Nuu1q50i9kBGsuJpbEL16GG5kLF7rddUGpQ4OjSpK1wYl-jnBncvOs7hW8One66qQbk_7_BYSE7Vij0eeA5HBOB9R6mThVfffQboWRqUwCEgaeM2fnQh0xA7t1u8r1OTyiii_m6S4ecdEwdBiw59L4u5ajfH0oPPYA" -H "ucsb-api-version: 2.0" -H "ucsb-api-key: xxxxxxxxxxxxxxxxxxxx" -H "authorization: Basic xxxxxxxxxxxxxxxxxxxxxxx"

Inspecting JWT Tokens

There are a number of websites which can help inspect a JWT Token if you are not sure yours looks correct. Try one of these:

Future Plans (OAuth)

The campus is working on a long term strategy to make OAuth available in order to authenticate all campus identities (People and Applications). When that capability becomes available, we will be converting over the Campus API Gateway to use the Campus OAuth system for authenticating applications and securing APIs. We don't see this happening in the near term, but it's definitely on the long term roadmap.