/
3.12 API Authentication and Secret Keys

3.12 API Authentication and Secret Keys

Sept 06, 2024

Why Use Authentication?

Authentication is a way to verify that only permitted calls to an API are allowed.

How To Enable Authentication on an API Endpoint

  1. Open a 

     in PhixFlow from the 
     homepage

  2. On the toolbar, click 

  3. Disable 

     Allow Anonymous Connection 

    1. This will then only allow authenticated calls to the API

  4.  the changes

How To Create Authentication Users

Create New User (Optional)

Create a dedicated API user with limited privileges if you want the API to show as being run by this user in the System Console. 

  1. In the 

    , expand the 
     section 

  2. Click 

     to create a new user who will be able to run the API

    1. Enabled: 

    2.  the user

Create New Role

  1. In the

    , expand the application with the Incoming API

  2. Expand

     and create an New Role by clicking 

    1. Pin the tab as we will need it to remain open

    2. Provide a useful Name, e.g. GenerateToken

Add Privileges to New Role 

  1. In the Privileges section, click 

  2. Search for and drag across the following privileges in the Full Repository:

    • Use API Key

    • Run Actions

    • View Table Actions (PhixFlow version 11.2 or older only)

  3. Drag each privilege across from the Full Repository into the Privileges section of the Role 

  4.  the changes

Create and Assign API User Group to Role

  1. In the 

     section, click 

    1. Add a new Group for your Role

      1. Give it a useful Name e.g. API Users

      2. Add any users you require to be able to run the API

        1. This could be a dedicated API user with limited privileges, such as the one created in the section, Create New User, above

          1. For more on creating users, see Managing User Accounts

      3. Click 

         and close the tab

    2. Now drag the new user group into the 

       section of the new role

    3.  the changes

  2. The setup should look similar to:

      1. If working in PhixFlow version 11.2 or older, the role will have an additional privilege: View Table Actions 

Assign Application Access User Group to New User (Optional)

  1. If you created a new user, in the 

    , expand the
     section

  2. Double click on the new user

  3. In the User Groups section, click the 

     icon to display the available User Groups in the Full Repository

  4. Search for the name of your application in the search box

    1. Two User Groups will display - drag across the one that doesn't contain _Admin into the User Group section of your user

How To Generate Authentication Tokens

  1. The Incoming API will run as a specified user, this means that when it is called the audit trail will show the specified user as having performed the Incoming API Actionflow

  2. You do not need to login as this user, however, if you were already logged in as this user, you will need to logout and login again to pick up the user group change 

  3. In the 

    , scroll down to the Full Repository section and expand it

  4. Expand the

     section

  5. Double click on the user who will run the Incoming API

  6. Click the 3-dot more menu in the top right of the user properties

  7. Click Generate API Key

  8. Copy the value displayed and store it somewhere safe

How To Send Authorisation

When calling the API, the authorisation token must be passed in as a header called: Authorization.

  1. On the 

     action, open the 

  2. In the Secret Key Details section, click 

    1. Give the secret key a name, e.g. MyAPIKey

    2. Toggle on Enabled

    3.  the secret key

    4. Next to Secret, click 

    5. Paste in the API Key you copied above - see above section, How To Generate Authentication Tokens

    6.  the Local Secret and Secret Key

  3. In the Headers section on the

     action, click 

    1. Name: Authorization

    2. Expression: ${_datasource.MyAPIKey}

      1. Where MyAPIKey is the name of the Secret Key you set above