Solved: Creating an API key for another user - Qlik Community

master_t · ‎2023-04-21

Hello

I have developed a C# application that connects to QS Enterprise using a client certificate, and thus can impersonate any user when connecting to the Qlik Sense engine.

Now some of my clients are moving to Qlik Sense SaaS and I need a way to do the same thing: connect to the Qlik engine as an arbitrary user.

However, I can't find a way to do it.

My idea was using an API key of a user with the "developer" and "tenant admin" roles to invoke the following REST API:

https://qlik.dev/apis/rest/api-keys#%23%2Fentries%2Fv1%2Fapi-keys-post

to create a short-lived API key for the specific user I have to impersonate and then use the freshly generated key to connect as that user.

However, even though the request body for that API includes a "sub" parameter to set the subject for the key, the api call returns a "403 - Forbidden" error if the "sub" parameter is anything other than the ID of the user that is making the API invocation.

So... is there a solution to this? What is the correct solution to connect impersonate another user when connecting to Qlik SaaS?

Øystein_Kolsrud · ‎2023-04-24

I'm not sure what the best way to do this is, but it's possible to accomplish impersonation for QCS using JWT authentication. I experimented with this some time ago, and I guess that's the closest you get to using direct connection using certificates in the on-prem version of the product. It's not trivial to set up though, and it involves you generating a certificate to use, as well as configuring your tenant to accept it. You can find a basic example of how to do it here:

https://github.com/kolsrud/qlik_rest_sdk/blob/master/Qlik.Sense.RestClient/Examples/QcsConnectJwt/Pr...

That library also includes a class "QcsJwtFactory" that's intended to simplify the JWT generation once a private key is available.

You can find information on how to configure JWT authentication for your tenant here: https://qlik.dev/authenticate/jwt/implement-jwt-authorization

And of course... Security might be a concern here... Once you have that flow set up you have pretty much opened up a new door to get into the system.

View solution in original post

Øystein_Kolsrud · ‎2023-04-24

I'm not sure what the best way to do this is, but it's possible to accomplish impersonation for QCS using JWT authentication. I experimented with this some time ago, and I guess that's the closest you get to using direct connection using certificates in the on-prem version of the product. It's not trivial to set up though, and it involves you generating a certificate to use, as well as configuring your tenant to accept it. You can find a basic example of how to do it here:

https://github.com/kolsrud/qlik_rest_sdk/blob/master/Qlik.Sense.RestClient/Examples/QcsConnectJwt/Pr...

That library also includes a class "QcsJwtFactory" that's intended to simplify the JWT generation once a private key is available.

You can find information on how to configure JWT authentication for your tenant here: https://qlik.dev/authenticate/jwt/implement-jwt-authorization

And of course... Security might be a concern here... Once you have that flow set up you have pretty much opened up a new door to get into the system.

master_t · ‎2023-04-26

Thanks, I've done some initial testing and it seems to work.

Since the tool I'm writing is highly automated, I wanted to minimize the setup required by having it automatically setup the JWT Identity Provider and Web Integration to make everything work.

However, while there is an API that allow you to create a new Identity Provider, I can't find one to create a new Web Integration... is creating a new Web Integration possible via REST API, or that part needs to be set up manually?

master_t · ‎2023-04-26

Nevermind, I found it, it was in another section of the dogs.

Answer accepted.

sanekagr2 · ‎2025-06-26

Hi,
Is there a way to create an API key for another user via API without implementing a JWT IDP?
I can't use JWT in my project due to the installation of another identity provider, but I still need to generate an API key for another purpose.

master_t · ‎2025-06-26

Don't know if I fully understand your scenario, but you don't need to implement/use jwt as an authentication mechanism in YOUR project, you just need to enable and configure a jwt provider in qlik cloud. Your application can then use that jwt provider to impersonate another user and invoke apis as needed, regardless of how your users authenticate to YOUR app.

sanekagr2 · ‎2025-07-01

I need to install another IdP, such as Google Workspace or Okta. I'm not sure if JWT authentication will work alongside another IdP. I do know that API key authentication works fine in parallel with an IdP, but I can currently create API keys only for the default OAuth client user. I need to create them for other users as well.

The open question is whether there's still a way to create API keys for other users, or if JWT authentication can work with external IdPs.

master_t · ‎2025-07-02

I think Qlik Cloud supports multiple IdP mechanisms simultaneously if that's what you mean, but I haven't tested it, so I can't answer you with certainty, you'll have to test it.

Øystein_Kolsrud · ‎2025-07-17

If you have an OAuth client with the correct configurations, then it's possible to do impersonation that way. Perhaps that is closer to what you are looking for? You can find more information on this flow here:

https://qlik.dev/authenticate/oauth/guiding-principles-oauth-impersonation/

A related thread here on Community can be found here:

https://community.qlik.com/t5/Integration-Extension-APIs/OAuth-M2M-Impersonation/td-p/2429879

DaveChannon · ‎2025-07-17

OAuth impersonation is almost certainly the right way forward here, as the generated token supports more than the API key does, as well as having full scope control.

You can have many JWT IdPs active even if you have your own custom interactive IdP. The only IdP we limit you to one of is the interactive type. JWTs are non-interactive since they must be generated via a backend.