Why Use Authentication?

Authentication is a way to verify that only permitted calls to an API are allowed.

How To Enable Authentication on an API Endpoint

Open a API Endpoint in PhixFlow from the Actionflow homepage
On the toolbar, click Properties
Disable Allow Anonymous Connection
1. This will then only allow authenticated calls to the API
Apply the changes

How To Create Authentication Users

In the Repository, expand the application with the Incoming API
Expand Roles and create an New Role by clicking
1. Pin the tab as we will need it to remain open
2. Provide a useful Name, e.g. GenerateToken
3. In the Privileges section, click Privileges
4. Search for the privilege in the Full Repository : Use API Key
5. Drag the Use API Key into the Privileges section of the Role Properties
7. Apply the changes
In the User Groups section, click User Groups
1. Add a new Group for your Role
  1. Give it a useful Name e.g. API Users
  2. Add any users you require to be able to run the API. This could be a dedicated API user with limited privileges
    1. To create a user see Managing User Accounts → Creating Users
  3. Click Apply and close the tab
2. Now drag the new user group into the User Groups section of the new role
3. Apply the changes
The setup should look similar to:

How To Generate Authentication Tokens

The Incoming API will run as a specified user, this means that when it is called the audit trail will show the specified user as having performed the Incoming API Actionflow
You do not need to login as this user, however, if you were already logged in as this user, you will need to logout and login again to pick up the user group change
In the Repository, scroll down to the Full Repository section and expand it
Expand the Users section
Double click on the user who will run the Incoming API
Click the 3-dot more menu in the top right of the user properties
Click Generate API Key
Copy the value displayed and store it somewhere safe

How To Send Authorisation

When calling the API, the authorisation token must be passed in as a header called: Authorization.

On the HTTP action, open the Properties
In the Headers section, click
1. Name: Authorization
2. Expression: ${_datasource.APIKey}

Worked Example

Here's a worked example using the Company Data (available from the Learning Centre).

In this example, we are using:

A Company Call API screen containing a fixed drop down list of industries, a string fields for the API Status and a multi-line string field for the Results - this screen was created using the Tile with Buttons template

If you are completing this chapter as part of the Actionflow course and using a training instance, the data and screens have already been pre-loaded into the Actionflow Advanced Application. For this example, we'll be working on the Company Call API screen.

Add Authentication to API Calling Actionflow

In this example, we'll add authentication to the Actionflow that calls an API.

Prerequisites

For this example, we'll modify an API End Point Actionflow containing company data to only allow authenticated calls and we'll add secret key details to an Actionflow that calls the API.

The two Actionflows that will be modified were created in 3.11 Setting up an API Endpoint. If you have not completed this chapter, expand the section below and follow the steps to create the Actionflows.

Create API End Point Actionflow and Call API Actionflow

Error rendering macro 'excerpt-include' : No link could be created for '3.11 Setting up an API Endpoint'.

Enable Authentication on API End Point Actionflow

Open the API Company Data
On the toolbar click Properties
In the API section, disable Allow Anonymous Connection
1. This will then only allow authenticated calls to the API
Apply the changes

Create Authentication User

In the Full Repository, expand the Users section
Click to create a new user who will be able to run the API
1. Login: apiagent
2. First Name: API
3. Surname: Agent
4. Password: Phixflow123!
5. Enabled:
6. Apply the user

Create Role

We need to create a role then assign the privilege and user group(s) to it.

In the Repository for the application (not the full repository), expand the application you're working in
Expand Roles and create an New Role by clicking
1. Pin the tab as we will need it to remain open
2. Name: GenerateAPIToken
3. In the Privileges section, click Privileges
4. Search for the privilege, Run Actions and drag it into the Privileges section of the Role Properties
5. Search for the privilege, Use API Key and drag it into the Privileges section of the Role Properties
7. Apply the changes
In the User Groups section, click User Groups
1. Create a new User Group by clicking the
  1. Name: APIUsers
  2. Apply the new user group
  3. On the User Group, in the Users section, click icon and drag across your API Agent user into the Users section
  4. Click Apply the changes
Click back onto the GenerateAPIToken Role tab
Drag the APIUsers user group into the User Groups section of the GenerateAPIToken Role
1. Apply the changes

Generate Authentication Token

In the Full Repository, expand the Users section
Double click on the API Agent user
Hover over the 3-dot more menu in the top right corner
Click Generate API Key
Copy the value displayed and store it somewhere safe

Send Authorization

On the screen, Company Call API, open the Actionflow on the Call API button
Click on the HTTP Action, Call API, to open its Properties
In the Secret Key Details section, click
1. Name: APIKey
2. Enabled:
3. Apply the changes
4. Secret: click
  1. In the Secret field, paste the API Key you copied above
  2. Apply the changes
In the Headers section, click
1. Name: Authorization
2. Expression: ${_datasource.APIKey}
Apply the changes

3.12 API Authentication and Secret Keys