Authentication
Last updated
Was this helpful?
Last updated
Was this helpful?
All API requests must use HTTPS and authenticate by passing API key credentials using . Requests do this by setting the request header Authorization: Basic <credentials> where credentials is a secret token authenticating the request and associating it with a specific API key.
Depending on your API client, you may need to take different steps to construct the Authorization header.
If your API client requires you to provide a username and password when using Basic Auth, use the Username and Password values provided on the API key confirmation screen. Your client will then create the Authorization header for you.
Postman is an example of an API client that prompts for a username and password. The secret token isn't needed in this case and no other custom headers should be needed aside from the username and password.
Some clients, such as curl, require constructing the header by hand. Use the API Secret Token value provided on the API confirmation screen, and construct a header that looks like Authorization: Basic <API Secret Token>.
For a curl, you'll use the following code, but replace the URL and replace the <api_secret_token> with the API secret token that is provided when API credentials are created.
To test your API credentials, submit a GET request to /api/v1/checkAuth with your credentials.
With curl, that might look like this:
If you recieve a 200 OK then your key is set up correctly to access CiviForm.
Additionally, API keys have several security features beyond simply checking the ID and secret of the key. If any of the constraints specified by those features are not met, API requests will receive a 401 response code. For more information see .
The CiviForm admin creates API keys using the admin UI. See for instructions on creating API keys and obtaining an API key's credentials.