All Collections
Token Authentication
Token Authentication
Daniel Chilcott avatar
Written by Daniel Chilcott
Updated over a week ago

API Tokens are used to authorize invokes of Workflows via REST API

Creating and Managing Tokens

Access the API Keys Management Pane by clicking on your Site name in the left-hand menu and then choosing API Keys.

Click + to generate a new API Key, then choose New Token-based Key


Provides a unique name for the key. When a invoked using a key, the InitialisationXml Property will indicate the key that was used in the form Key: your-key-name in the Username element.


Keys can be disabled as necessary. Note that it may take up to five minutes for a disabled key to stop working.

Target Site Environment

Optionally select a specific Site Environment to cause Workflows invoked using this tokens to launch under the chosen Site Environment. This is recommended practice as it enables separate tokens to be used for different environments.

Important: If you have selected a non-Production environment under this setting, you must also include the desired environment in the querystring of your calls. For example, &_profile=Test.

Primary and Secondary Keys

Contains the generated keys. Note that these keys are only available when first generated. If a key is lost it will be necessary to regenerate it and all consumers relying on the old key must be updated to use the new key.

Permitted Workflows

Select the Workflows that will be permitted to execute against this Key. Note that only Workflows that are bound to a REST template are displayed in this list. Flowgear will only authorize the Key against the selected Workflows.

Specifying a Key in an API call

API Keys can be provided via a querystring or via the Authorization HTTP Header.

Specify the Authorization header like this:

Authorization: Key=your-auth-key 

Append the querystring auth-key to the request URL. For exampe, if you are invoking this Workflow:

Provide the API Key like this:

Note that we do not recommend using this technique because it is possible that the URL will be logged.

Did this answer your question?