How to use BoB-test

Auth token

Requests to BoB-test needs a valid auth token. How to get one? There are basically two ways:

1. Use your own Authentication API

The preferred way is to get an auth token from your own service that implements the Authentication API in a test-environment.

The public part of the auth token public/private key-pair must be published to BoB Metadata Test so that it is included in the response from the test endpoint of If not already done, you need to go through the Metadata Key Exchange Process.

Contact us at and ask for permissions to call BoB-test using your own auth token. We must know the Issuer (claim iss) and Authorization Class (claim bobAuthZ) used in the auth token. Read to learn more about these claims.

2. Use BoB-test Authentication API

If you’ve not implemented the Authentication API yourself, you can get auth tokens from the implementation provided by BoB-test for test purposes.

Then, you have to do the following...

  • Generate a certificate signing request (CSR) with the following command.

    > openssl req -new -newkey rsa:2048 -sha256 -nodes -keyout client-1.key -subj "/C=SE/ST=<province>/L=<location>/O=<organisation>/CN=<sales-client-1>" -out client-1.csr

where …

<province> is the participant's province, for example Stockholm.

<location> is the location, for example Stockholm.

<organisation> is the participant's name.

<sales-client-1> is the name of the client or device that will use the certificate.

  • Send the CSR to Samtrafiken. Samtrafiken will inform you how.

  • Inform Samtrafiken what bobAuthz group you intend to use. If only for initial testing, use "pos".

  • Inform Samtrafiken if you want a special entityId. Otherwise the entityId will be just 1. We will assume the entityId is 1 for the rest of this guide.

Samtrafiken will create your signed certificate and send it back to you, i.e. the client-1.crt file.

2.1 Post auth token public key

This applies to you only if your company is already registered as a participant in BoB Metadata Test.

  • You will get an auth token public key from Samtrafiken.

  • Use POST /participantMetadata/{pid}/authtokenPublicKey to publish the auth token public key to BoB Metadata Test. The api private key is needed to do this. This key was created during the Metadata Key Exchange Process when you first signed up to participate in BoB Metadata Test. It is used for signing the PoP-Token, see MTS 5.



Base URL

Endpoint for creating auth token


Base URL

Endpoint for creating auth token

BoB-test 2019-1{entityId}

How to make a request


Postman is a tool for API testing. Please find a Postman collection customized for BoB-test use here. This collection can be imported into Postman.

Once the provided Postman-collection is imported into Postman, you have to add configuration for sending your client certificate. This is done on a per-host basis. For calls to host api-bobtest-2019-1, configure it like so:

… where client-1.crt is the signed client certificate that you received back from Samtrafiken and client-1.key is the private key generated with the openssl req -new -newkey command described above.

Open the GET auth token request and click Send. The auth token should now exist as a collection variable authToken.

Open the Search products 1 - minimal and click Send. You should get OK 200 and an array of products.


Another tool is curl.

Get auth token:

curl --verbose \ --cert client-1.crt \ --key client-1.key \ --header "Content-Type: application/json" \

Example request to search products:

curl --verbose -X POST --data @- \ --header "Content-Type: application/json" \ --header "X-BoB-AuthToken: REPLACE_WITH_AUTH_TOKEN_FROM_GET_AUTH_RESPONSE" \ <<JSON { "group": { "groupType": "zone", "groupIds": [ "1" ] } } JSON


Or by using a data file:

curl -X POST --data "@data.json" \ --header "Content-Type: application/json" \ --header "X-BoB-AuthToken: REPLACE_WITH_YOUR_OWN_AUTH_TOKEN" \
{ "group": { "groupType": "zone", "groupIds": [ "1" ] } }