Skip to content
English
More support
Ask Flow Support
  • There are no suggestions because the search field is empty.

Ignition Module Authentication Review

The module supports optional OAuth2 authentication using the client credentials flow via Timebase Pulse.

Overview

The module supports optional OAuth2 authentication using the client credentials flow via Timebase Pulse. When enabled, the module acquires a bearer token from Pulse and includes it with every request to Timebase Historian. If authentication is not required, leave the authentication settings empty and the module will communicate with Timebase without authorization headers.

How Authentication Works

When all three authentication settings are configured (Pulse URL, Client Id, and Client Secret), the module follows this process:

  1. Token request — On the first API call, the module requests a token from Timebase Pulse using the OAuth2 client credentials flow: 
    POST <Pulse URL>/auth/token
    Content-Type: application/x-www-form-urlencoded

    grant_type=client_credentials&client_id=<Client Id>&client_secret=<Client Secret>
  2. Token caching — The returned bearer token is cached in memory and reused for all subsequent requests until it expires.
  3. Automatic token refresh — If Timebase returns an HTTP 401 (Unauthorized) response, the module automatically requests a new token and retries the original request once. A short delay is applied before the retry to avoid log flooding. If the retry also fails, the error is reported.
  4. No-auth mode — If any one of the three authentication fields is empty or not set, authentication is skipped entirely. Requests are sent to Timebase without an Authorization header.

Setting Up Authentication in Timebase Pulse

Before configuring the module, create a client credentials entry in Timebase Pulse:

  1. Open the Timebase Pulse administration interface.
  2. Navigate to Clients or OAuth2 Clients.
  3. Create a new client with:
    • Grant type: Client Credentials
    • Client Id: a name you choose (e.g. Ignition)
    • Client Secret: a strong, randomly generated secret
  4. Save the client and note the Client Id and Client Secret — you will need them in the Ignition module configuration.

Configuring the Module

In the Ignition Gateway web interface, open your Timebase historian provider settings and fill in:

Setting Value
Pulse URL Full URL of your Pulse server including port (e.g. https://your-server:4542)
Pulse Client Id The Client Id you created in Pulse
Pulse Client Secret The Client Secret — stored securely in Ignition's secret management

All three fields must be filled in for authentication to activate. If any field is left blank, the module runs in no-auth mode.

Security Notes

  • The Client Secret is stored using Ignition's built-in secret management — encrypted at rest and never visible in plain text after saving.
  • Token refresh happens automatically in the background. You do not need to restart the historian or Gateway when a token expires.
  • All credentials are trimmed of leading and trailing whitespace before use. If authentication fails unexpectedly, try re-entering the credentials manually to avoid hidden whitespace from copy-paste.

Troubleshooting

Symptom Likely cause What to do
Gateway logs show "401 Unauthorized" repeatedly Token has expired and refresh is failing Verify the Pulse URL is reachable from the Ignition Gateway host. Confirm the Client Id and Client Secret are still valid in Pulse.
Module starts but all writes return 401 Authentication is configured but Pulse is unreachable Check network connectivity between the Ignition Gateway and the Pulse server. Confirm the Pulse service is running.
Logs show "401" followed by a successful retry Normal token refresh behavior This is expected — the module refreshed an expired token and retried successfully. No action needed.
No Authorization header in requests despite settings being filled in One of the three fields is empty or contains only whitespace Re-check all three fields. All must be non-empty after trimming whitespace.