API clients

Third-party system integrations can use the application programming interfaces (APIs). Access to the APIs is enabled via API clients, which are an integral part of the OAuth 2.0 authorization framework of the platform.

An API client is a special platform account which represents the third-party system that must authenticate and be authorized to access platform data and services data. API client access is limited to the tenant whose Management Portal administrator creates the client, and any sub-tenants.

The API client inherits the service roles of the administrator account, and these roles cannot be changed later. Changing roles of the administrator account or disabling it does not affect the client.

API client credentials

The API client credentials consist of the unique identifier (ID) and a secret value. These credentials do not expire, and cannot be used to log in to Management Portal or any other service console.

It is not possible to enable two-factor authentication for the client.

API client flow

  1. A Management Portal administrator creates an API client.

  2. An administrator enables the OAuth 2.0 client credentials flow in the third-party system.

  3. According to this flow, before accessing the tenant and its services via the API, the system must first send the API client credentials to the platform, using the authorization API.

  4. The platform generates and sends back a security token- the unique cryptic string assigned to this specific client.

  5. The third-party system must add this token to all API requests.

The security token eliminates the need for passing client credentials with API requests.

For additional security, the security token expires in two hours.
After this time, all API requests with the expired token will fail, and the system must request a new token from the platform.