Skip to content

Authentication

We offer 2 ways of authentication: API key ("static token") and JWT. The default authentication is JWT.

Important: The static API key is considered as an unsafe way of authentication. It is recommended to use JWT for authentication. Do use the API key only if you cannot use JWT.

JWT

We are using the LexikJWTAuthenticationBundle for JWT authentication.

To be able to use JWT authentication, a key pair must be generated. This is done by running the following command:

bin/console lexik:jwt:generate-keypair

It creates a public key and a private key in the config/jwt folder. Please do not commit the private key to the repository. The public key is used to verify the JWT token.

API key

The API key is a static token that can be used to authenticate requests. The API key is stored in the database. The API key can be found in the column api_key in the table user. The API key is used as a Bearer token in the Authorization header or as a query parameter api_key.

Examples

JWT with Bearer token

GET https://localhost/api/flow_executions?order[created_at]=desc&page=1&itemsPerPage=10 HTTP/1.1
Content-Type: application/json
Accept: application/vnd.api+json, application/json
Authorization: Bearer {{ token }}

API key as query parameter

GET https://localhost/api/flow_executions?order[created_at]=desc&page=1&itemsPerPage=10&apiToken={{ token }} HTTP/1.1
Content-Type: application/json
Accept: application/vnd.api+json, application/json

Authenticators

The corresponding authenticators are located in the src/Security directory. The authenticators are used to authenticate the user. The authenticators are used in the security.yaml file.