I’m implementing embedded analytics in our web application using the Cognos Analytics REST API. The API authentication keeps failing with ‘Invalid client credentials’ error even though I’ve triple-checked the client ID and secret.
Here’s my authentication request:
POST /api/v1/oauth/token
{"client_id": "my-app-id", "client_secret": "***", "grant_type": "client_credentials"}
The client credentials were generated through the Cognos admin console and I’ve confirmed they’re active. The embedded analytics configuration in Cognos shows my application is registered with the correct redirect URLs. What am I missing here? This is blocking our entire embedded analytics integration.
I agree with the header approach, but also verify that your client credentials have the right scopes assigned. In the admin console under embedded analytics settings, each registered application needs specific API scopes enabled. For basic embedded analytics, you need at least ‘dashboard:read’ and ‘report:read’ scopes. Without proper scopes, authentication will fail even with correct credentials.
Note: Wildcard URLs are not supported, must list each explicitly
After making these changes, authentication works perfectly. The token response includes both access_token and refresh_token. Access tokens expire after 1 hour by default, so implement token refresh logic:
POST /api/v2/oauth/token
Authorization: Basic {credentials}
Content-Type: application/x-www-form-urlencoded
grant_type=refresh_token&refresh_token={your_refresh_token}&namespace=LDAP
One more critical point about client credentials: they’re case-sensitive and include special characters. Make sure you’re copying them exactly as shown in the admin console, including any hyphens or underscores. I initially had an issue where I was missing a trailing character in the secret.
For embedded analytics security, also configure CORS headers on your Cognos server to allow requests from your application’s domain. This is separate from API authentication but equally important.
First thing to check - are you sending the credentials in the request body or as Basic Auth header? The API actually expects them in the Authorization header as Base64 encoded string. Try encoding ‘client_id:client_secret’ in Base64 and sending it as ‘Authorization: Basic {encoded_string}’ instead of in the JSON body.
Switched to using the Authorization header with Base64 encoding, but still getting the same error. I checked the scopes in admin console and they look correct. Could this be related to the Cognos version? We recently upgraded to 12.0 - maybe there are new requirements?
Yes, version 12.0 introduced changes to OAuth authentication for embedded analytics! The token endpoint path changed and there’s now a namespace requirement. You need to include the Cognos namespace in your authentication request. Check your Cognos configuration for the namespace ID (usually something like ‘LDAP’ or ‘AD’) and add it as a parameter. Also, the endpoint might be /api/v2/oauth/token in 12.0, not v1.