Authentication

Owned by Cam Mackay
Last updated: Aug 07, 2024
1 min read

All HTTP requests to the Workbench API need to be authenticated using the HTTP Authorization header, which should be included in all requests. The Workbench API supports two authentication protocols: Basic and Bearer (OAuth2.0). A valid Web Workbench login is required.

Basic

Basic authentication is recommended for development or testing purposes only. The credentials (username and password) are not encrypted so it’s not secure unless you're using HTTPS and TLS protocols.

The Authorization header will take the form:

Authorization: Basic XXXXX

Where XXXXX is the base64-encoded username and password of the Workbench credentials you want to use, separated by a colon. So for example if you want to authenticate as a user with Workbench login code of 'user' and a password of 'password', you would base64-encode the text “user:password“, and the header would look be:

Authorization: Basic dXNlcjpwYXNzd29yZA==

OAuth2.0

This is the recommended authentication schema. It uses OAuth2.0 tokens. You'll need to log in to Workbench and setup an Application Client to generate a client token.

Generating a Client Token

  1. Log in to Web Workbench and navigate to the Application Clients screen (#/Admin/ApplicationClient.aspx). This is a hidden screen in Workbench, so you will need to manually type in the URL.

  2. Create a new Application Client in the grid. The following fields will be required:

    1. Id: a unique identifier of the client

    2. Name: a brief description of the client

    3. Application Type: either ‘Native Confidential’ or ‘JavaScript’

    4. Active: make sure to tick this; an inactive client would deactivate all client tokens and prevent integrations from connecting to the Workbench API

    5. Life Time: the duration, in minutes, that tokens generated for this client will be valid for

    6. Allow Origin: specifies the valid origins for the API by setting the “Access-Control-Allow-Origin” header; an asterisk (*) can be used to indicate a wildcard (any origin)

  3. Once the record is saved and the new Application Client is created, click the ‘Authorize’ button to generate a new client token.

  4. Copy the token to use in the Authorization header of HTTP requests to the Workbench API:

Authorization: Bearer [token]

Currently there is no refresh functionality for client tokens, so when a token expires a new one has to be manually generated from the Application Clients screen in Workbench

 

Application Clients screen.PNG