​

API Authentication

​

Authentication Methods Overview

1. API Keys (Developer API):

• Use Case: For external developers, scripts, or services integrating with Altostrat SDX programmatically.
• Mechanism: Long-lived, team-specific API Keys used directly as Bearer tokens in the Authorization header.

2. OAuth 2.0 (Web Application / SPA):

• Use Case: Used by the official Altostrat SDX web application and potentially other first-party or trusted client applications authenticating as a user.
• Mechanism: Standard OAuth 2.0 flows (Authorization Code or Implicit Grant) result in short-lived JWT Bearer tokens managed by the client application.

3. Internal M2M Tokens:

• Use Case: Communication between Altostrat’s internal backend microservices.
• Mechanism: Service-specific, private Bearer tokens. Not available or documented for external use.

​

Developer API Authentication (Using API Keys)

​

Obtaining an API Key

• API Keys are generated within the Altostrat SDX web application.
• Navigate to your Team Settings > API Credentials section. (Note: Exact UI path may vary).
• You can create multiple keys, typically one per integration or application, giving each a descriptive name.
• Each API Key is scoped to the specific Team it was created under. It can only access resources associated with that team.

​

API Key Format

• tokenId: The unique UUID of the API token record.
• teamId: The UUID of the team the token belongs to.
• secret: A randomly generated secret string (62 characters).

​

Using the API Key

GET /teams HTTP/1.1
Host: api.altostrat.io
Authorization: Bearer 9c16437d-aaaa-bbbb-cccc-adfbfc156d0c:9b52d930-dddd-eeee-ffff-4c12dff85544:Kq5z...rA9p
Accept: application/json
Content-Type: application/json

​

Security & Rate Limiting

• Treat your API Keys like passwords. Do not expose them in client-side code or public repositories.
• Generate separate keys for different applications and revoke any compromised keys immediately via the web UI.
• API requests using these keys are rate-limited to 60 requests per minute per key. Exceeding this limit will result in 429 Too Many Requests errors.

​

Web Application / SPA Authentication (OAuth 2.0)

• Flow: Users log in via the web interface (using username/password or an external Identity Provider like Google, Microsoft, GitHub). The application then handles an OAuth 2.0 flow (likely Authorization Code grant) to obtain a JWT (JSON Web Token).
• Usage: This JWT is automatically included as a Bearer token in the Authorization header for subsequent API calls made by the web application itself.
• End-User Impact: As an end-user using the web application, you don’t typically need to manage these JWTs directly; the application handles their lifecycle (obtaining, refreshing, using).
• Developer Impact: If you are building a client application that needs to act on behalf of an Altostrat SDX user, you would implement a standard OAuth 2.0 client flow using the endpoints defined in our OpenID Connect Discovery Document.

​

Internal Machine-to-Machine APIs

• They use separate, internal authentication mechanisms (e.g., M2mAuth, SiteInternalAuth Bearer tokens).
• These APIs and their authentication details are not publicly exposed or documented for external use.

​

Summary: Choosing the Right Method

• Integrating your service/script with Altostrat SDX? Use the Developer API Authentication with an API Key generated for your Team.
• Using the official Altostrat SDX Web Application? Authentication is handled automatically via OAuth 2.0 / JWT.
• Building a client that logs users into Altostrat SDX? Implement an OAuth 2.0 client flow.
• Working on Altostrat’s internal infrastructure? Use the designated Internal M2M Authentication (details managed internally).

• Learn how to Manage API Credentials.