Authentication:
- Session cookie. If the call is done from the browser and there is a session cookies present, the user represented by the cookie will be the call will be run in the context of this user.
Obviously, there are some typos here, but you should get the idea? If I’m logged in to your app and I call your app’s workflow API, that workflow runs in my context.
If I am not logged into your app, this API will fail as I am not authenticated – unless authentication is not required, in which case it will run.
NOW, this isn’t a very common sort of use case, if you ask me. The more common use case is: I have integrated to some external API. That service (whatever it is) has a webhook facility that can ping me when something happens over there.
(e.g., that service has users who might also use my app. They have given my app permission to do stuff. The external app has webhooks. Those webhooks can ping my app to inform me about some change over there and it only pings MY endpoints for changes that happen with respect to users who have authenticated my app.
I don’t want just anybody pinging those endpoints. So they require authentication. That authentication should be in the form of a token. I make a token in Settings. I use that token to configure the webhooks over in the external app. This token represents THAT OTHER APP and is not shared with anybody else.
If it’s just a basic webhook, you’ll have to do as the reference says here:
You can also add your API Token directly in the URL for both the Workflow and the Data API as a querystring parameter
api_token. This approach is not recommended as it is less secure. [than the part I’m going to quote below…]
If you’re granting somebody permission to integrate to your API and they are developing stuff, you’d do it like this:
– Use an API Token generated in the API section in the Settings Tab. This API Token is secret and should not be shared with anyone. To authenticate with such a mechanism, add
Authorization: Bearer API_TOKENto the header. When you authenticate with such an API Token, the call is run in the context of an admin user of the app, who has access to all data.