Blindata API
The Blindata Open API is a REST interface for programmatic access to the platform. Use it to integrate Blindata with your internal applications, automate governance workflows, and build custom connectors—for example, syncing metadata from a pipeline, enriching data from an external service, or exposing Blindata resources to other systems.
API access
API access lets services, schedulers, CLIs, and scripts call the Blindata REST API programmatically, without an interactive browser session. It is independent of UI and SSO sign-in flows: each request must include its own credentials, supplied via bearer token, API key headers, or a Microsoft Entra ID access token.
The actions allowed with a given credential are determined by both the permissions
and any applicable team policies for that user. The tenant context for each request is specified with the X-BD-Tenant header.
Resources are exposed under the /api/v1/ path prefix unless otherwise noted. Send requests with Accept: application/json and, when a request body is required, Content-Type: application/json.
Note
This section provides an overview of authentication, tenant selection, and general API usage concepts only. Details about specific API endpoints, request and response structures, and full payload reference are available in the API Docs provided on your Blindata instance. For exact API signatures and exhaustive details, always consult the API documentation exposed via the API Docs link in your environment.
Tenant selection
Each Blindata credential is associated with a default tenant. Specify the target tenant on every request using the X-BD-Tenant header with the tenant UUID. Access is subject to the permissions granted to the credential in use.
You can find your tenant identifier by navigating to Settings > Profile within the Blindata platform. Look for the Tenant Identifier section in your profile details:

When using a Bearer token, pass X-BD-Tenant to target a tenant other than the credential default.
Example request:
GET /api/v1/datacategories HTTP/1.1
Host: api.blindata.io
X-BD-Tenant: Example-Tenant-UUID
Accept: application/json
Add the authentication headers for your chosen method, as described in the following section.
Authentication
Note
The authentication methods described below may not all be available on your tenant. Availability depends on the security configuration provisioned for your organization. Contact Blindata support if you are unsure which methods are enabled.
Blindata supports multiple authentication mechanisms for user-to-machine and machine-to-machine integrations:
| Method | Typical use case | How to authenticate |
|---|---|---|
| Bearer token | Interactive integrations, scripts, and services that can obtain a session token | Authorization: Bearer <token> |
| API key | Long-lived machine-to-machine access with application users | X-BD-User and X-BD-ApiKey headers |
| Microsoft Entra ID access token | Enterprise integrations using Microsoft identity | Authorization: Bearer <entra-access-token> |
Include credentials for a single method per request.
Bearer token authentication
Bearer token authentication uses Blindata session tokens obtained through the authentication endpoints. Tokens are JSON Web Tokens (JWT) validated against their signature, Blindata distributed internal cache, and user account status.
| Endpoint | Method | Description |
|---|---|---|
/auth/login |
POST |
Create a new session token |
/auth/logout |
GET |
Destroy the current token |
/auth/introspection |
GET |
Return details about the current token |
Login request example:
POST /auth/login HTTP/1.1
Host: api.blindata.io
Content-Type: application/json
Accept: application/json
X-BD-Tenant: Example-Tenant-UUID
{
"username": "Example",
"password": "Example-Password"
}
Login response example:
{
"access_token": "eyJhbGciOiJIUzUxMiJ9...",
"token_type": "Bearer",
"username": "admin"
}
Use the returned access_token on subsequent API calls:
GET /api/v1/datacategories HTTP/1.1
Host: api.blindata.io
Authorization: Bearer eyJhbGciOiJIUzUxMiJ9...
X-BD-Tenant: Example-Tenant-UUID
Accept: application/json
Logout request example:
GET /auth/logout HTTP/1.1
Host: api.blindata.io
Authorization: Bearer eyJhbGciOiJIUzUxMiJ9...
X-BD-Tenant: Example-Tenant-UUID
API key authentication
API key authentication is intended for machine-to-machine access with dedicated application user credentials. The user must have API access enabled in Blindata. See Application users for setup instructions.
Provide credentials in two custom headers:
| Header | Description |
|---|---|
X-BD-User |
The application username |
X-BD-ApiKey |
The API key (password) |
Example request:
GET /api/v1/datacategories HTTP/1.1
Host: api.blindata.io
X-BD-User: Example
X-BD-ApiKey: Example-Password
X-BD-Tenant: Example-Tenant-UUID
Accept: application/json
Microsoft Entra ID access token
Organizations using Microsoft Entra ID (formerly Azure AD) can authenticate API requests with a Microsoft-issued access token instead of a Blindata session token or API key.
GET /api/v1/datacategories HTTP/1.1
Host: api.blindata.io
Authorization: Bearer <microsoft-entra-access-token>
X-BD-Tenant: Example-Tenant-UUID
Accept: application/json
The API accepts Entra access tokens that:
- Are issued by
https://login.microsoftonline.com/{tenant-id}/v2.0 - Contain exactly one audience (
aud) claim matching your Blindata instance URL - Map to an existing Blindata user, or can be associated automatically on first use
User access tokens
When the token represents a signed-in user, Blindata resolves the account from the sub claim. The user must already exist in Blindata and must also already have performed a sign in using Entra SSO.
Request tokens with scope {your-blindata-instance-url}/.default.
Daemon and service principal access tokens
For unattended integrations, register a service principal in Entra ID and create a corresponding application user in Blindata with username:
msazure:{object_id}@{azure_tenant_id}
where {object_id} is the Object ID of the service principal and {azure_tenant_id} is the Azure tenant ID (tid claim).
Obtain an access token with the OAuth 2.0 client credentials flow, requesting scope {your-blindata-instance-url}/.default. Verify that oid and sub are equal, iss starts with https://login.microsoftonline.com/, and tid matches your Azure tenant.
For full Entra ID configuration steps, see SSO With Microsoft Entra ID .