Rest API Authentication
The Weavy REST API uses token based authentication. Tokens are issued by the Weavy instance. All API requests must be made over HTTPS. Calls made over plain HTTP will fail. API requests without authentication will also fail unless specifically stated.
Authentication Clients
Weavy uses authentication clients to validate requests to the API. Clients are created and updated in the Weavy UI. Clients hold the information you need to make request for the API, namely the ClientId
and the ClientSecret
.
Manage Clients
To manage Authentication Clients, you need to sign in to the Weavy installation with an administrator account. Then navigate to https://{your-weavy-url}/manage/clients
.
To add a new client, click the plus icon and specify Display Name
, Client Id
and Client Secret
.
It is possible to add multiple clients to facilitate different scenarios.
From the manage section it is also possible to disable and trash existing clients. Disabled or trashed clients cannot be used to authenticate API requests..
Authenticate using a Client
Authentication is done using the OAuth Client Credentials Flow.
When authenticating the following is happening:
- A caller authenticates with the
https://{your-weavy-url}/api/auth
token endpoint of the Weavy server usingClient Id
andClient Secret
. - Weavy validates the
Client Id
andClient Secret
. - Weavy responds with an
access token
. - The caller can use the
access token
to call API endpoints.
Code samples
Request an access token:
curl -d "client_id={your-client-id}&client_secret={your-client-secret}&grant_type=client_credentials" https://{your-weavy-url}/api/auth
Response from token endpoint:
{
"access_token":"eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3Mi...",
"token_type":"bearer",
"expires_in":3600
}
Call the API using the access_token
in the Authorization
header:
curl -H "Accept: application/json" -H "Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3Mi..." https://{your-weavy-url}/api/{api-endpoint}