--- title: UI and API access description: This page shows you how to access and monitor the Ping Identity Platform components in a ForgeOps deployment. component: forgeops version: 2026.1 page_id: forgeops:deploy:access canonical_url: https://docs.pingidentity.com/forgeops/2026.1/deploy/access.html keywords: ["User Interface", "REST API", "Monitoring", "Grafana", "Prometheus"] section_ids: am-services-cdm: AM services idm-services-cdm: IDM services ds_command_line_access: DS command-line access cdm-monitoring: ForgeOps deployment monitoring grafana: Grafana prometheus: Prometheus next_step: Next step --- # UI and API access This page shows you how to access and monitor the Ping Identity Platform components in a ForgeOps deployment. AM and IDM are configured for access through the Kubernetes cluster's ingress controller. You can access these components using their admin UIs and REST APIs. DS cannot be accessed through the ingress controller, but you can use Kubernetes methods to access the DS pods. ## AM services To access the AM admin UI: 1. Set the active namespace in your local Kubernetes context to the namespace in which you performed the ForgeOps deployment. 2. Obtain the `amadmin` user's password: ``` $ cd /path/to/forgeops/bin $ ./forgeops info | grep amadmin vr58qt11ihoa31zfbjsdxxrqryfw0s31 (amadmin user) ``` 3. Open a new window or tab in a web browser. 4. Go to https\://my-fqdn/platform. The Kubernetes ingress controller handles the request, routing it to the `login-ui` pod. The login UI prompts you to log in. 5. Log in as the `amadmin` user. The Ping Identity Platform UI appears in the browser. 6. Select Native Consoles > Access Management. The AM admin UI appears in the browser. To access the AM REST APIs: 1. Start a terminal window session. 2. Run a curl command to verify that you can access the REST APIs through the ingress controller. For example: ``` $ curl \ --insecure \ --request POST \ --header "Content-Type: application/json" \ --header "X-OpenAM-Username: amadmin" \ --header "X-OpenAM-Password: vr58qt11ihoa31zfbjsdxxrqryfw0s31" \ --header "Accept-API-Version: resource=2.0" \ --data "{}" \ "https://my-fqdn/am/json/realms/root/authenticate" { "tokenId":"AQIC5wM2...", "successUrl":"/am/console", "realm":"/" } ``` ## IDM services To access the IDM admin UI: 1. Set the active namespace in your local Kubernetes context to the namespace in which you performed the ForgeOps deployment. 2. Obtain the `amadmin` user's password: ``` $ cd /path/to/forgeops/bin $ ./forgeops info | grep amadmin vr58qt11ihoa31zfbjsdxxrqryfw0s31 (amadmin user) ``` 3. Open a new window or tab in a web browser. 4. Go to https\://my-fqdn/platform. The Kubernetes ingress controller handles the request, routing it to the `login-ui` pod. The login UI prompts you to log in. 5. Log in as the `amadmin` user. The Ping Identity Platform UI appears in the browser. 6. Select Native Consoles > Identity Management. The IDM admin UI appears in the browser. To access the IDM REST APIs: 1. Start a terminal window session. 2. If you haven't already done so, get the `amadmin` user's password using the forgeops info command. 3. AM authorizes IDM REST API access using the [OAuth 2.0 authorization code flow](https://docs.pingidentity.com/pingam/8/oauth2-guide/oauth2-authz-grant.html). ForgeOps deployments come with the `idm-admin-ui` client, which is configured to let you get a bearer token using this OAuth 2.0 flow. You'll use the bearer token in the next step to access the IDM REST API: 1. Get a session token for the `amadmin` user: ``` $ curl \ --request POST \ --insecure \ --header "Content-Type: application/json" \ --header "X-OpenAM-Username: amadmin" \ --header "X-OpenAM-Password: vr58qt11ihoa31zfbjsdxxrqryfw0s31" \ --header "Accept-API-Version: resource=2.0, protocol=1.0" \ 'https://my-fqdn/am/json/realms/root/authenticate' { "tokenId":"AQIC5wM...TU3OQ*", "successUrl":"/am/console", "realm":"/"} ``` 2. Get an authorization code. Specify the ID of the session token that you obtained in the previous step in the `Cookie` parameter: ``` $ curl \ --dump-header - \ --insecure \ --request GET \ --header "Cookie: iPlanetDirectoryPro=AQIC5wM...TU3OQ*" \ "https://my-fqdn/am/oauth2/realms/root/authorize?redirect_uri=https://my-fqdn/platform/appAuthHelperRedirect.html&client_id=idm-admin-ui&scope=openid%20fr:idm:*&response_type=code&state=abc123" HTTP/2 302 ... ``` 3. Exchange the authorization code for an access token. Specify the access code that you obtained in the previous step in the `code` URL parameter: ``` $ curl --request POST \ --insecure \ --data "grant_type=authorization_code" \ --data "code=3cItL9G52DIiBdfXRngv2_dAaYM" \ --data "client_id=idm-admin-ui" \ --data "redirect_uri=https://my-fqdn/platform/appAuthHelperRedirect.html" \ "https://my-fqdn/am/oauth2/realms/root/access_token" { "access_token":"oPzGzGFY1SeP2RkI-ZqaRQC1cDg", "scope":"openid fr:idm:*", "id_token":"eyJ0eXAiOiJKV ... sO4HYqlQ", "token_type":"Bearer", "expires_in":239 } ``` 4. Run a curl command to verify that you can access the `openidm/config` REST endpoint through the ingress controller. Use the access token returned in the previous step as the bearer token in the authorization header. The following example command provides information about the IDM configuration: ``` $ curl \ --insecure \ --request GET \ --header "Authorization: Bearer oPzGzGFY1SeP2RkI-ZqaRQC1cDg" \ --data "{}" \ \https://my-fqdn/openidm/config { "_id":"", "configurations": [ { "_id":"ui.context/admin", "pid":"ui.context.4f0cb656-0b92-44e9-a48b-76baddda03ea", "factoryPid":"ui.context" }, ... ] } ``` ## DS command-line access The DS pods in ForgeOps deployment are not exposed outside of the cluster. If you need to access one of the DS pods, use a standard Kubernetes method: * Execute shell commands in DS pods using the kubectl exec command. * Forward a DS pod's LDAPS port (1636) to your local computer. Then, you can run LDAP CLI commands, for example ldapsearch. You can also use an LDAP editor such as Apache Directory Studio to access the directory. For all ForgeOps deployment directory pods, the directory superuser DN is `uid=admin`. Obtain this user's password by running the forgeops info command. ## ForgeOps deployment monitoring This section describes how to access Grafana dashboards and Prometheus UI'\[[1](#_footnotedef_1 "View footnote.")]' . ### Grafana To access Grafana dashboards: 1. Set up port forwarding on your local computer for port 3000: ``` $ /path/to/forgeops/bin/prometheus-connect.sh -G Forwarding from 127.0.0.1:3000 → 3000 Forwarding from [::1]:3000 → 3000 ``` 2. In a web browser, navigate to http\://localhost:3000 to access the Grafana dashboards. 3. Log in as the `admin` user with `password` as the password. When you're done using the Grafana UI, stop Grafana port forwarding by entering Ctrl+c in the terminal window where you initiated port forwarding. For information about Grafana, refer to [the Grafana documentation](http://docs.grafana.org). ### Prometheus To access the Prometheus UI: 1. Set up port forwarding on your local computer for port 9090: ``` $ /path/to/forgeops/bin/prometheus-connect.sh -P Forwarding from 127.0.0.1:9090 → 9090 Forwarding from [::1]:9090 → 9090 ``` 2. In a web browser, navigate to http\://localhost:9090 to access the Prometheus UI. When you're done using the Prometheus UI, stop Prometheus port forwarding by entering Ctrl+c in the terminal window where you initiated port forwarding. For information about Prometheus, refer to [the Prometheus documentation](https://prometheus.io/docs/introduction/overview). For a description of ForgeOps monitoring architecture and information about how to customize ForgeOps monitoring, refer to [ForgeOps deployment monitoring](../prepare/monitoring/overview.html). ## Next step * [icon: check-square-o, set=fa][Become familiar with ForgeOps deployments](overview.html) * [icon: check-square-o, set=fa][Understand ForgeOps architecture](architecture.html) * [icon: check-square-o, set=fa][Deploy the platform](deploy.html) * [icon: check-square-o, set=fa][Access platform UIs and APIs](access.html) * [icon: square-o, set=fa]*[Plan for production deployment](next-steps.html)* *** [1](#_footnoteref_1). Not available on ForgeOps deployments on minikube.