Enablement Services Authentication
Authentication
Enablement Services supports multiple authentication scopes, depending on the level of access required. Organization scope allows for operations at an organization level, things like creating new users and authenticating users. User scope allows for operations on an individual user basis, like importing connections or viewing tradelines.
API requests require a valid 'Authorization' header.
Organization Scope
This scope is used to interact with organization wide resources. This can be used for operations like creating and authenticating users.
Client Credentials Authentication
Client Credentials authentication is appropriate for server-to-server use cases. Don't expose your client credentials in client-side code, Github or any other insecure location.
To use Client Credentials Authorization pass the client credentials separated by a colon as the bearer token in the 'Authorization' header.
Authorization: Bearer client_id:client_secret
User Scope
This scope is used to interact with an individual user's data, for example importing connections or retrieving tradelines.
Authenticating A User
Once a user has been created you will need to generate a session token that will be passed with every subsequent request to the graphql endpoint. This requires Organization scoped authentication. You will need your organization's client_id
, client_secret
, and the user_id
for the user being authenticated. This is the user_id that was returned from your call to RegisterOrganizationUser
The HTTP endpoint /v1/users/authenticate/{user_id}
is used to obtain the session token for User Scoped Authentication.
Base URL based on environment:
- Use the Development URL when testing or working in a development environment.
- Use the Production URL when making live requests.
Development | Production |
---|---|
https://api.bloomplus.dev | https://api.bloomplus.com |
# Replace user_id with the user's id.
# Replace client_id and client_secret with your organization's client_id and client_secret
curl --location --request POST 'https://api.bloomplus.dev/v1/users/authenticate/user_id' \
--header 'Authorization: Bearer client_id:client_secret'
# Returns: "ABCDEFGHIJKLMNOPQ123456789"
# Which can then be used as a bearer token:
# --header 'Authorization: Bearer ABCDEFGHIJKLMNOPQ123456789'
package main
import (
"fmt"
"io/ioutil"
"log"
"net/http"
)
func main() {
// Define the user ID as a path parameter
userID := "your-user-id"
url := fmt.Sprintf("<BASE_URL>/v1/users/authenticate/%s", userID)
// Create a new HTTP POST request
req, err := http.NewRequest("POST", url, nil)
if err != nil {
log.Fatalf("Error creating request: %v", err)
}
// Set the Authorization header with client credentials
clientID := "your-client-id"
clientSecret := "your-client-secret"
authHeader := fmt.Sprintf("Bearer %s:%s", clientID, clientSecret)
req.Header.Set("Authorization", authHeader)
// Send the request
client := &http.Client{}
resp, err := client.Do(req)
if err != nil {
log.Fatalf("Error making request: %v", err)
}
defer resp.Body.Close()
// Read and process the response, expecting a plain string for the session token
body, err := ioutil.ReadAll(resp.Body)
if err != nil {
log.Fatalf("Error reading response: %v", err)
}
if resp.StatusCode == http.StatusOK {
// The response is a plain string containing the session token
sessionToken := string(body)
fmt.Printf("Successfully authenticated!\nSession Token: %s\n", sessionToken)
} else {
// Handle the error response
var errorResponse map[string]string
err = json.Unmarshal(body, &errorResponse)
if err != nil {
log.Fatalf("Error decoding error JSON: %v", err)
}
fmt.Printf("Error: %s\n", errorResponse["error"])
}
}
For example, if the session token ABCDEFGHIJKLMNOPQ123456789
were returned, it will be used as a Bearer token in the format:
Authorization: Bearer ABCDEFGHIJKLMNOPQ123456789
This bearer token can now be used for User Scoped queries and mutations for the authenticated user.
Session Token Authentication
Session token authentication is the method for interacting with user data from a client-side application. Pass this session token along in the 'Authorization' header and all requests will be scoped to that user.
Authorization: Bearer session_token
Updated 9 days ago