Guides

Enablement Services Authorization

Suggest Edits

Authorization

Enablement Services supports multiple authorization scopes, depending on the level of access required.

API requests require a valid 'Authorization' header.

Organization scoped authorization is used for organization wide operations, as well as for user creation. A client_id and client_secret are required.

After creating a user, you’ll need to obtain a session token to access user scoped authenticated queries and mutations. To generate this token, see User Scoped Authentication. This request requires your client_id, client_secret, and the user_id returned from the registerOrganizationUser mutation. Include the session token as a header in any subsequent requests requiring user scoped authorization.

Organization Scope

This scope is used to interact with organization wide resources. This can be used to view all users, connections, and tradelines.

Client Credentials Authentication

Client Credentials authentication is appropriate for server-to-server use cases. Don't expose your client credentials in client-side code, Github or any other insecure location.

To use Client Credentials Authorization pass the client credentials separated by a colon as the bearer token in the 'Authorization' header.

Authorization: Bearer client_id:client_secret

User Scope

This scope is used to interact with an individual user's data.

Session Token Authentication

Session token auth authentication is the preferred method for interacting with user data from a client-side application. See User Scoped Authentication for reference. Pass this session token along in the 'Authorization' header and all requests will be scoped to that user.

Authorization: Bearer session_token

Basic Auth

Another way to authenticate with the user scope is to make use of a combination of client credentials and user id. This authorization method should also only be used for server-to-server use cases.

To use Basic Auth, provide a Base64-encoded combination of a Client Credentials and User ID and separated by colons.

Authorization: Basic < Base64-encoded ClientID:ClientSecret:UserId >

Updated 2 months ago