Authentication and Authorization
The Flexxible API protects access to its resources through a security model based on authentication and authorization.
Authentication identifies the user making the request, while authorization determines which resources and operations they can access based on their permissions.
To learn how to generate an API key, authenticate, and make your first request, check out the Get Started guide.
Authentication
The API uses an authentication mechanism based on API Keys (API Keys).
Each API key is associated with a Portal user and represents their identity during requests made to the API. There's no need to obtain a prior access token or complete an additional authentication process.
API Key
The API key is the only authentication mechanism supported by the platform.
Features:
- It must be included in all requests.
- Identifies the user making the request.
- Limits access to the organization to which the user belongs.
Authorization
Access to API resources is controlled through a role-based authorization system.
Authorization is applied at two levels:
- Endpoint level. Determines which roles can access each endpoint.
- Action level. Restricts specific operations, such as creating, modifying, or deleting resources, depending on the user's permissions.
Access to resources depends on user permissions defined in Portal. Not all endpoints are available for all roles.
Best Practices
To protect integrations that use the API, it is recommended:
- Keep API keys in a secure place.
- Don't share them or include them in public source code.
- Rotate the keys periodically.
- Revoke any key that may have been compromised immediately.