API Key-Based Authorization

In this article

    Using an API key allows a user to receive a permanent authorization grant. Unlike access and refresh tokens that expire after a specific period of time, an API key is active until the associated user identity is disabled or deleted.

    To configure API key-based authentication:

    1. Log in using one of the methods described in the Username and Password and OAuth 2.0 Authentication sections.
    2. Send the HTTP POST request to the /users/{userUid}/logins/apikey path, where userUid is the UID of a user account. Additionally you must provide the description query string parameter containing information about the API key issuance.

    If you want a user to have access only to GET operations, provide the true value for a isReadAccessOnly query parameter

    The response body will contain a resource representation of a new user identity with the API key in the parameters property.


    POST https://vspc:1280/api/v3/users/955b0b80-03b2-49fd-bf38-14785ecff0a8/logins/apikey?description=Alpha Company Administrator API Key&isReadAccessOnly=true


    Request Headers:

    Content-type: application/json

    Authorization: Bearer <Access-Token>


    Response Code:

    200 OK


    Response Body:


     "data": {

       "id": 12,

       "userUid": "955b0b80-03b2-49fd-bf38-14785ecff0a8",

       "userName": "alpha_admin",

       "companyId": "3b139961-6b11-4fd8-9e87-c2be1b0e9ca8",

       "companyName": "Alpha",

       "identityProviderName": "AK",

       "description": "Company API Key",

       "isReadAccessOnly": true,

       "scopes": [],

       "status": "enabled",

       "parameters": "4baccb809a3578f4xZGp74ik1k54wD03Y25fJ7KRIR7oVJsfgyFuQj4yaCFkhQMA5qjHyETS95PCy3uKcNm2bz6NrtVFHELWPh7mZxpx6cczHZYAbuufuy2QQ7zeKvkM",

       "identifierInProvider": "11217524525076510964",

       "creationDate": "2020-08-18T16:02:26.0136931+00:00"



    You can use the API key instead of the access token in the Authorization headers of all further requests.

    Authorization: Bearer 4baccb809a3578f4xZGp74ik1k54wD03Y25fJ7KRIR7oVJsfgyFuQj4yaCFkhQMA5qjHyETS95PCy3uKcNm2bz6NrtVFHELWPh7mZxpx6cczHZYAbuufuy2QQ7zeKvkM

    You can temporarily restrict access to REST API with the issued API key. To do that, set the disabled value for the status property of the user identity resource associated with that API key. For details on how to modify user identities, see Modify User Identity.

    If you want to disable access to REST API with the issued API key permanently, you can delete the user identity resource associated with that API key. For details, see Delete User Identity.