Authentication

Enablement Services supports multiple authentication scopes, depending on the level of access required. Organization scope allows for operations at an organization level, things like creating new users and authenticating users. User scope allows for operations on an individual user basis, like importing connections or viewing tradelines.

API requests require a valid 'Authorization' header.

Organization Scope

This scope is used to interact with organization wide resources. This can be used for operations like creating and authenticating users.

Client Credentials authentication is appropriate for server-to-server use cases. Exchange your client credentials for an access token that will be sent with subsequent requests. Don't expose your organization scoped access token in client-side code, Github or any other insecure location.

To use Client Credentials authentication view our API authentication guide API Authentication

User Scope

This scope is used to interact with an individual user's data, for example importing connections or retrieving tradelines.

Authenticating A User

Once a user has been created you will need to generate an access token that will be passed with every subsequent request to the graphql endpoint. This requires Organization scoped authentication. You will need an access token created by following the Organization Scope guide above. You will also need the user_id for the user being authenticated. This is the user_id that was returned from your call to RegisterOrganizationUser

The HTTP endpoint /v2/users/<user_id>/authenticate is used to obtain the access token for User Scoped Authentication.

Base URL based on environment:

Use the Development URL when testing or working in a development environment.
Use the Production URL when making live requests.

Development	Production
`https://api.bloomplus.dev`	`https://api.bloomplus.com`

# Replace user_id with the user's id. 
# Replace client_id and client_secret with your organization's client_id and client_secret

curl --location --request POST 'https://api.bloomplus.dev/v2/users/<user_id>/authenticate' \
--header 'Authorization: Bearer <organization_scoped_access_token>'

# Returns: {"access_token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWUsImlhdCI6MTUxNjIzOTAyMn0.KMUFsIDTnFmyG3nMiGM6H9FNFUROf3wh7SmqJp-QV30", "expiresIn": 7200, "token_type": "Bearer"}
# Which can then be used as a bearer token:
# --header 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWUsImlhdCI6MTUxNjIzOTAyMn0.KMUFsIDTnFmyG3nMiGM6H9FNFUROf3wh7SmqJp-QV30'

package main

import (
    "fmt"
    "io/ioutil"
    "log"
    "net/http"
)

func main() {
    // Define the user ID as a path parameter
    userID := "your-user-id"
    url := fmt.Sprintf("<BASE_URL>/v1/users/authenticate/%s", userID)

    // Create a new HTTP POST request
    req, err := http.NewRequest("POST", url, nil)
    if err != nil {
        log.Fatalf("Error creating request: %v", err)
    }

    // Set the Authorization header with client credentials
    clientID := "your-client-id"
    clientSecret := "your-client-secret"
    authHeader := fmt.Sprintf("Bearer %s:%s", clientID, clientSecret)
    req.Header.Set("Authorization", authHeader)

    // Send the request
    client := &http.Client{}
    resp, err := client.Do(req)
    if err != nil {
        log.Fatalf("Error making request: %v", err)
    }
    defer resp.Body.Close()

    // Read and process the response, expecting a plain string for the session token
    body, err := ioutil.ReadAll(resp.Body)
    if err != nil {
        log.Fatalf("Error reading response: %v", err)
    }

    if resp.StatusCode == http.StatusOK {
        // The response is a plain string containing the session token
        sessionToken := string(body)
        fmt.Printf("Successfully authenticated!\nSession Token: %s\n", sessionToken)
    } else {
        // Handle the error response
        var errorResponse map[string]string
        err = json.Unmarshal(body, &errorResponse)
        if err != nil {
            log.Fatalf("Error decoding error JSON: %v", err)
        }
        fmt.Printf("Error: %s\n", errorResponse["error"])
    }
}

For example, if the access token eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWUsImlhdCI6MTUxNjIzOTAyMn0.KMUFsIDTnFmyG3nMiGM6H9FNFUROf3wh7SmqJp-QV30 were returned, it will be used as a Bearer token in the format:

Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWUsImlhdCI6MTUxNjIzOTAyMn0.KMUFsIDTnFmyG3nMiGM6H9FNFUROf3wh7SmqJp-QV30

This bearer token can now be used for User Scoped queries and mutations for the authenticated user.