Authentication and Authorization

Access to the API is protected to ensure only authenticated and authorized clients can interact with available resources.

This section describes how to authenticate with an API Key and how authorization controls are applied.

Authentication

The API uses an authentication mechanism based on API Keys.

All requests must include the key in the Authorization header using the Bearer scheme:

Authorization: Bearer <api_key>

Even though the Bearer scheme is used, the value directly corresponds to an API Key generated in Portal, not a token obtained through an additional authentication process.

API Key

• This is the only authentication mechanism available.
• Must be sent in all requests.
• Identifies the user, their role, and the organization they belong to.

Generate an API Key

To create this key, the user must have an Organization Admin role.

1. Access Portal.

   

2. In the side menu, click on Settings → Organization.

3. Select the API Keys tab.

   

4. Click on Create API Key.

5. Complete the form.

   

• Name. API key identifier.
• Role. Role assigned to the user in Portal.
• Duration. Validity period of the key.

6. Confirm by Saving.

Authorization

Access to API resources is controlled through a role-based authorization system.

Authorization is applied at various levels:

1. Endpoint level: determines which roles can access each endpoint.
2. Action level: restricts specific operations (e.g., modify or delete actions) based on user permissions.

note

Access to resources depends on user permissions defined in Portal. Not all endpoints are available for all roles.

Best Practices

• Keep the API Key secure.
• Generate new keys periodically.
• Revoke compromised keys.