Skip to main contentIBM Quantum Documentation Mirror

Initialize the service in an untrusted environment

Follow these instructions if you are working with IBM Cloud or the IBM Qiskit Runtime REST API in an untrusted environment, such as a public computer.

Avoid executing code on an untrusted machine or an external cloud Python environment to minimize security risks. If you must use an untrusted environment (on, for example, a shared or public computer), change your API key after each use by deleting it on the API keys page and creating a new one.

Caution

Protect your API key! Never include your key in source code, Python script, or notebook file. When sharing code with others, ensure that your API key is not embedded directly within the Python script. Instead, share the script without the token and provide instructions for securely setting it up.

If you accidentally share your key with someone or include it in version control like Git, immediately revoke your key by following the Deleting an API key topic on IBM Cloud.


Find your access credentials

  1. Find your API key (also referred to as an API token). From the dashboard, create your API key, then copy it to a secure location so you can use it for authentication. The token will not be visible again. Note that you can use a single API key to connect to any region.
  2. Optional: Find the instance you want to use from the Instances page. Hover over its CRN, click the icon to copy it, then save it in a secure location so you can use it to identify the instance.

Authenticate to IBM Cloud in an untrusted environment

To initialize the service in this situation, use code like the following:

from qiskit_ibm_runtime import QiskitRuntimeService
 
# Saved accounts are not used when a token is passed in. The service is initialized with credentials that are not saved.
service = QiskitRuntimeService(
  # Delete your key on the API keys page after entering this code:
  token="<your-API-key>", # Use the 44-character API_KEY you created and saved from the IBM Quantum Platform Home dashboard
  # Optionally specify an instance to use
  instance="<IBM Cloud CRN or instance name>"
  )

Authenticate to the REST API in an untrusted environment

Follow these steps to use your API key directly to authenticate to the Qiskit Runtime REST API, where <your_API_KEY> is the 44-character API_KEY you created and saved from your IBM Quantum Platform Home dashboard.

  1. Use your API key to generate a bearer token. A bearer token is a temporary credential that expires after no more than one hour. After the acquired token expires, you must generate a new one to continue calling IBM Cloud or other service APIs. :
curl -X POST 'https://iam.cloud.ibm.com/identity/token' \
-H 'Content-Type: application/x-www-form-urlencoded' \
-d 'grant_type=urn:ibm:params:oauth:grant-type:apikey&apikey=your_API_KEY'

Copy and save the returned bearer token: "access_token": "<NEW_BEARER_TOKEN>"

  1. Authenticate requests to the Qiskit Runtime REST API by including the CRN and bearer token in the request's headers.
curl -X 'GET' \
   'https://quantum.cloud.ibm.com/api/v1/usage' \
   '-H accept: application/json' \
   '-H authorization: Bearer <BEARER_TOKEN>' \
   '-H Service-CRN: <INSTANCE_CRN>'
  1. Change your API key after each use by generating a new API key on the IBM Quantum Platform home page, or by following the Deleting an API key instructions on IBM Cloud.

Next steps

Recommendations