On behalf of (OBO) RSA authentication

You can use on behalf of (OBO) via RSA key pair authentication rather than using certificate authentication as detailed here.

To enable OBO RSA authentication, you need an application deployed with the OBO feature enabled and you must already be using RSA authentication.

Enable OBO authentication:

  1. Follow the steps in the knowledge article How to generate JWT/RSA tokens to generate the RSA key pairs.
  2. Once you have set the Public Key into the Authentication section in the application bundle, update the application if you already have it deployed, or create it if you have not.

The screenshot above highlights the ACT_AS_USER variable required for OBO and the RSA Public Key section.

  1. To obtain the SessionToken, run the following call, replacing the user AppID with your own ID.
java -jar jwt-helper.jar -user AppID -key mykey.pem


  1. Copy the resulting SessionToken and use it in the following 5 minutes.
  2. In Postman, get the application SessionToken by navigating to the following URL:

    • companyabc is the name of your Symphony instance.
  1. Use either the username or the UID of the person to obtain their SessionToken.



    • companyabc is the name of your Symphony instance.
    • <username> is your username, such as johnsmith.



    • companyabc is the name of your Symphony instance.
  1. Once you have obtained the OBO SessionToken, you can use any of API endpoints enabled for OBO.

Note: The Key Manager (KM) token is not used.