Authentication Guide
Alloy supports both basic HTTP authentication and OAuth 2.0, depending on the security requirements and technical limitations of your organization. Both methods use a token
and secret
(viewable in your dashboard) issued to each of your applications.
Transitioning to Account-Level API KeysHistorically, API tokens and secrets referred to
workflow_token
andworkflow_secret
. As part of Alloy's initiative to introduce account-level API keys, this is changing.If you have migrated to the new API Key Settings page,
token
andsecret
will now refer to the new API token and secret. If you have not migrated yet, continue usingworkflow_token
andworkflow_secret
.
Make sure to not share your secret
(never put it in repositories or leave human-readable in code) and always use HTTPS. Whether you use OAuth 2 or basic auth for server-to-server communication, they are only as good as the security of the clients using our APIs. We want to make sure your information is as secure as possible!
Basic HTTP Authentication
To authorize per-request with HTTP basic auth, use this code:
curl -X POST https://sandbox.alloy.co/v1/evaluations \
-H "Content-Type: application/json" \
-u token:secret \
-d $'{
"name_first": "John",
...
}'
Credentials must be passed for each request. The username is the token
and the password is the secret
. To implement HTTP basic auth yourself:
- Concatenate the token and secret together, separated by a colon
- Base64 encode the resulting string
- Pass the result in the authorization header, prefixed with the word “Basic” like
Basic base64_encode(token:secret)
OAuth 2.0
To authorize once with OAuth 2.0, use this code:
curl -X POST https://sandbox.alloy.co/v1/oauth/bearer \
-H "Content-Type: application/json" \
-H "Authorization: Basic <basic_token>" \
-d '{
"grant_type": "client_credentials"
}'
The application credentials must first be passed to a route in order to receive a bearer token. Each bearer token is valid for one hour. Alloy uses standard OAuth 2.0, so it is plug-and-play with most auth plugins or API clients. All you need to know is:
Grant Type: client_credentials
Client ID: (token) Client Secret: (secret) Access Token URL: https://sandbox.alloy.co/v1/oauth/bearer
If you want to roll your own, pass the token and secret via basic auth (as explained above) to POST /oauth/bearer
with a grant type of “client_credentials”.
Alloy expects the bearer token to be included in all API requests to the server in a header that looks like the following:
Authorization: Bearer <bearer_token>
Updated 10 days ago