Blindata API

The Blindata Open API is a REST interface for programmatic access to the platform. Use it to integrate Blindata with your internal applications, automate governance workflows, and build custom connectors—for example, syncing metadata from a pipeline, enriching data from an external service, or exposing Blindata resources to other systems.

API access

API access lets services, schedulers, CLIs, and scripts call the Blindata REST API programmatically, without an interactive browser session. It is independent of UI and SSO sign-in flows: each request must include its own credentials, supplied via bearer token, API key headers, or a Microsoft Entra ID access token.

The actions allowed with a given credential are determined by both the permissions and any applicable team policies for that user. The tenant context for each request is specified with the X-BD-Tenant header.

Resources are exposed under the /api/v1/ path prefix unless otherwise noted. Send requests with Accept: application/json and, when a request body is required, Content-Type: application/json.

Note

This section provides an overview of authentication, tenant selection, and general API usage concepts only. Details about specific API endpoints, request and response structures, and full payload reference are available in the API Docs provided on your Blindata instance. For exact API signatures and exhaustive details, always consult the API documentation exposed via the API Docs link in your environment.

Tenant selection

Each Blindata credential is associated with a default tenant. Specify the target tenant on every request using the X-BD-Tenant header with the tenant UUID. Access is subject to the permissions granted to the credential in use.

You can find your tenant identifier by navigating to Settings > Profile within the Blindata platform. Look for the Tenant Identifier section in your profile details:

Locating your Tenant Identifier in Settings > Profile

When using a Bearer token, pass X-BD-Tenant to target a tenant other than the credential default.

Example request:

GET /api/v1/datacategories HTTP/1.1
Host: api.blindata.io
X-BD-Tenant: Example-Tenant-UUID
Accept: application/json

Add the authentication headers for your chosen method, as described in the following section.

Authentication

Note

The authentication methods described below may not all be available on your tenant. Availability depends on the security configuration provisioned for your organization. Contact Blindata support if you are unsure which methods are enabled.

Blindata supports multiple authentication mechanisms for user-to-machine and machine-to-machine integrations:

Method Typical use case How to authenticate
Bearer token Interactive integrations, scripts, and services that can obtain a session token Authorization: Bearer <token>
API key Long-lived machine-to-machine access with application users X-BD-User and X-BD-ApiKey headers
Microsoft Entra ID access token Enterprise integrations using Microsoft identity Authorization: Bearer <entra-access-token>

Include credentials for a single method per request.

Bearer token authentication

Bearer token authentication uses Blindata session tokens obtained through the authentication endpoints. Tokens are JSON Web Tokens (JWT) validated against their signature, Blindata distributed internal cache, and user account status.

Endpoint Method Description
/auth/login POST Create a new session token
/auth/logout GET Destroy the current token
/auth/introspection GET Return details about the current token

Login request example:

POST /auth/login HTTP/1.1
Host: api.blindata.io
Content-Type: application/json
Accept: application/json
X-BD-Tenant: Example-Tenant-UUID

{
    "username": "Example",
    "password": "Example-Password"
}

Login response example:

{
    "access_token": "eyJhbGciOiJIUzUxMiJ9...",
    "token_type": "Bearer",
    "username": "admin"
}

Use the returned access_token on subsequent API calls:

GET /api/v1/datacategories HTTP/1.1
Host: api.blindata.io
Authorization: Bearer eyJhbGciOiJIUzUxMiJ9...
X-BD-Tenant: Example-Tenant-UUID
Accept: application/json

Logout request example:

GET /auth/logout HTTP/1.1
Host: api.blindata.io
Authorization: Bearer eyJhbGciOiJIUzUxMiJ9...
X-BD-Tenant: Example-Tenant-UUID

API key authentication

API key authentication is intended for machine-to-machine access with dedicated application user credentials. The user must have API access enabled in Blindata. See Application users for setup instructions.

Provide credentials in two custom headers:

Header Description
X-BD-User The application username
X-BD-ApiKey The API key (password)

Example request:

GET /api/v1/datacategories HTTP/1.1
Host: api.blindata.io
X-BD-User: Example
X-BD-ApiKey: Example-Password
X-BD-Tenant: Example-Tenant-UUID
Accept: application/json

Microsoft Entra ID access token

Organizations using Microsoft Entra ID (formerly Azure AD) can authenticate API requests with a Microsoft-issued access token instead of a Blindata session token or API key.

GET /api/v1/datacategories HTTP/1.1
Host: api.blindata.io
Authorization: Bearer <microsoft-entra-access-token>
X-BD-Tenant: Example-Tenant-UUID
Accept: application/json

The API accepts Entra access tokens that:

  • Are issued by https://login.microsoftonline.com/{tenant-id}/v2.0
  • Contain exactly one audience (aud) claim matching your Blindata instance URL
  • Map to an existing Blindata user, or can be associated automatically on first use

User access tokens

When the token represents a signed-in user, Blindata resolves the account from the sub claim. The user must already exist in Blindata and must also already have performed a sign in using Entra SSO.

Request tokens with scope {your-blindata-instance-url}/.default.

Daemon and service principal access tokens

For unattended integrations, register a service principal in Entra ID and create a corresponding application user in Blindata with username:

msazure:{object_id}@{azure_tenant_id}

where {object_id} is the Object ID of the service principal and {azure_tenant_id} is the Azure tenant ID (tid claim).

Obtain an access token with the OAuth 2.0 client credentials flow, requesting scope {your-blindata-instance-url}/.default. Verify that oid and sub are equal, iss starts with https://login.microsoftonline.com/, and tid matches your Azure tenant.

For full Entra ID configuration steps, see SSO With Microsoft Entra ID .