Enablement Services Authentication

Authentication

Enablement Services supports multiple authentication scopes, depending on the level of access required. Organization scope allows for operations at an organization level, things like creating new users and authenticating users. User scope allows for operations on an individual user basis, like importing connections or viewing tradelines.

API requests require a valid 'Authorization' header.

Organization Scope

This scope is used to interact with organization wide resources. This can be used for operations like creating and authenticating users.

Client Credentials Authentication

Client Credentials authentication is appropriate for server-to-server use cases. Don't expose your client credentials in client-side code, Github or any other insecure location.

To use Client Credentials Authorization pass the client credentials separated by a colon as the bearer token in the 'Authorization' header.

Authorization: Bearer client_id:client_secret

User Scope

This scope is used to interact with an individual user's data, for example importing connections or retrieving tradelines.

Authenticating A User

Once a user has been created you will need to generate a session token that will be passed with every subsequent request to the graphql endpoint. This requires Organization scoped authentication. You will need your organization's client_id, client_secret, and the user_id for the user being authenticated. This is the user_id that was returned from your call to RegisterOrganizationUser

The HTTP endpoint /v1/users/authenticate/{user_id} is used to obtain the session token for User Scoped Authentication.

Base URL based on environment:

  • Use the Development URL when testing or working in a development environment.
  • Use the Production URL when making live requests.
DevelopmentProduction
https://api.bloomplus.devhttps://api.bloomplus.com
# Replace user_id with the user's id. 
# Replace client_id and client_secret with your organization's client_id and client_secret

curl --location --request POST 'https://api.bloomplus.dev/v1/users/authenticate/user_id' \
--header 'Authorization: Bearer client_id:client_secret'

# Returns: "ABCDEFGHIJKLMNOPQ123456789"
# Which can then be used as a bearer token:
# --header 'Authorization: Bearer ABCDEFGHIJKLMNOPQ123456789'
package main

import (
    "fmt"
    "io/ioutil"
    "log"
    "net/http"
)

func main() {
    // Define the user ID as a path parameter
    userID := "your-user-id"
    url := fmt.Sprintf("<BASE_URL>/v1/users/authenticate/%s", userID)

    // Create a new HTTP POST request
    req, err := http.NewRequest("POST", url, nil)
    if err != nil {
        log.Fatalf("Error creating request: %v", err)
    }

    // Set the Authorization header with client credentials
    clientID := "your-client-id"
    clientSecret := "your-client-secret"
    authHeader := fmt.Sprintf("Bearer %s:%s", clientID, clientSecret)
    req.Header.Set("Authorization", authHeader)

    // Send the request
    client := &http.Client{}
    resp, err := client.Do(req)
    if err != nil {
        log.Fatalf("Error making request: %v", err)
    }
    defer resp.Body.Close()

    // Read and process the response, expecting a plain string for the session token
    body, err := ioutil.ReadAll(resp.Body)
    if err != nil {
        log.Fatalf("Error reading response: %v", err)
    }

    if resp.StatusCode == http.StatusOK {
        // The response is a plain string containing the session token
        sessionToken := string(body)
        fmt.Printf("Successfully authenticated!\nSession Token: %s\n", sessionToken)
    } else {
        // Handle the error response
        var errorResponse map[string]string
        err = json.Unmarshal(body, &errorResponse)
        if err != nil {
            log.Fatalf("Error decoding error JSON: %v", err)
        }
        fmt.Printf("Error: %s\n", errorResponse["error"])
    }
}

For example, if the session token ABCDEFGHIJKLMNOPQ123456789 were returned, it will be used as a Bearer token in the format:

Authorization: Bearer ABCDEFGHIJKLMNOPQ123456789

This bearer token can now be used for User Scoped queries and mutations for the authenticated user.

Session Token Authentication

Session token authentication is the method for interacting with user data from a client-side application. Pass this session token along in the 'Authorization' header and all requests will be scoped to that user.

Authorization: Bearer session_token