API Authentication & Authorization
Learn OAuth 2.0 authentication, API key management, token refresh, and security best practices for API access.
API Authentication Overview
WorkFlux uses OAuth 2.0 for secure API authentication. This industry-standard protocol ensures your API credentials are protected and provides flexible access control.
This guide covers authentication methods, token management, and security best practices.
Business Value:
• Custom Integrations: API access enables custom workflows that competitors can't match, creating competitive moats
• Scalability: Programmatic access allows you to scale automation beyond our pre-built agents
• Efficiency: API integrations eliminate manual work, saving 20+ hours/week
• Innovation: Build custom solutions on top of WorkFlux infrastructure without $50K+ development costs
Included in Plans:
• Starter: Basic API access with rate limits
• Professional: Full API access with higher limits
• Enterprise: Unlimited API access + dedicated API support
OAuth 2.0 Authentication
WorkFlux implements the OAuth 2.0 Client Credentials flow:
Getting Credentials
- 1. Log in to your WorkFlux dashboard
- 2. Navigate to Settings > API Credentials
- 3. Click 'Create New API Key'
- 4. Copy your Client ID and Client Secret
- 5. Store credentials securely (never commit to version control)
Requesting Access Tokens
- POST https://api.workflux.ai/v1/auth/token
- Content-Type: application/json
- {
- "client_id": "your_client_id",
- "client_secret": "your_client_secret",
- "grant_type": "client_credentials"
- }
- Response:
- {
- "access_token": "eyJhbGc...",
- "token_type": "Bearer",
- "expires_in": 3600
- }
Using Access Tokens
- Include the access token in the Authorization header:
- Authorization: Bearer {access_token}
- Example request:
- GET https://api.workflux.ai/v1/agents
- Authorization: Bearer eyJhbGc...
Token Management
Best practices for managing access tokens:
Token Refresh
- • Access tokens expire after 1 hour
- • Request a new token before expiration
- • Implement automatic token refresh in your application
- • Cache tokens to avoid unnecessary requests
Security Best Practices
- • Never expose Client Secret in client-side code
- • Use environment variables for credentials
- • Rotate API keys regularly (every 90 days)
- • Use different keys for different environments
- • Monitor API key usage for anomalies
- • Revoke compromised keys immediately
Scopes & Permissions
API keys can be scoped to specific permissions:
• read:agents - Read agent information
• write:agents - Create and update agents
• read:analytics - Access analytics data
• write:integrations - Manage integrations
• admin - Full administrative access
Error Handling
Common authentication errors:
401 Unauthorized
- • Invalid or expired access token
- • Solution: Request a new token
403 Forbidden
- • Insufficient permissions for the requested resource
- • Solution: Check API key scopes
Code Examples
Example implementations:
Node.js Example
- const axios = require('axios');
- async function getAccessToken() {
- const response = await axios.post(
- 'https://api.workflux.ai/v1/auth/token',
- {
- client_id: process.env.WORKFLUX_CLIENT_ID,
- client_secret: process.env.WORKFLUX_CLIENT_SECRET,
- grant_type: 'client_credentials'
- }
- );
- return response.data.access_token;
- }
Python Example
- import requests
- def get_access_token():
- response = requests.post(
- 'https://api.workflux.ai/v1/auth/token',
- json={
- 'client_id': os.getenv('WORKFLUX_CLIENT_ID'),
- 'client_secret': os.getenv('WORKFLUX_CLIENT_SECRET'),
- 'grant_type': 'client_credentials'
- }
- )
- return response.json()['access_token']
Related
REST API Reference
Complete REST API documentation: endpoints, request/response formats, error handling, and code examples for integrating with WorkFlux.
Webhooks Guide
Set up webhooks to receive real-time notifications from WorkFlux. Configure endpoints, verify signatures, and handle events.
API Rate Limits & Best Practices
Understand API rate limits, implement rate limiting strategies, and optimize API usage for your integration.