# API Authentication

You can configure your HTTP API as a data source if it requires authentication with a specific set of headers or other query params so you won't need to configure these parameters with every request.

{% hint style="info" %}
The parameters configured in the datasource will be merged with the parameters configured in the specific request.
{% endhint %}

This article describes all available *authentication methods* when connecting your data source.

## Authentication methods

The following standard types of authentication are available for HTTP API:

* [Custom headers/query params](#custom-headers-query-params)
* [Basic Auth](#basic-auth)
* [Digest Auth](#digest-auth)
* [OAuth2](#oauth2)
* [API Key](#api-key)
* [Mutual TLS (mTLS)](#mutual-tls-mtls)

### Custom headers/query params

For some API, you may need to pass the API key via **Headers** or **Query Params**, for example, in [HubSpot](/reference/data-sources/hubspot.md). \
You need to add them to the corresponding fields and proceed with connecting your data source.

<figure><img src="/files/rzzXTF7YUNp4PDeSsF8r" alt=""><figcaption></figcaption></figure>

### Basic Auth

With this authentication method, you only need to provide your username and password.

<figure><img src="/files/8KrWwDlrXkpCa9WyVCTi" alt=""><figcaption></figcaption></figure>

### Digest Auth

Digest Auth is similar to Basic Auth but with more focus on security. \
In Basic Auth, a user sends their credentials in plain text to the server thus making them easy to be intercepted by a middleman. Digest Auth, on the other hand, uses encryption algorithms to secure the transmission of user credentials.

With this authentication method, you only need to specify your username and password.

### OAuth2

*OAuth 2.0* is the protocol that allows UI Bakery to access data sources hosted by other web apps on behalf of the user.

Once you've selected this method, you can also choose a *specific flow* in the **OAuth2 Flow** dropdown:

* Authorization Code Flow
* Client Credentials Flow
* Password Grant

The following parameters are available for the configuration:

* **UI Bakery redirect callback** - Read only, should be set in the *API OAuth settings*
* **Client ID** & **Client secret** - should be filled with values provided by the API
* **Authorization URL** & **Access Token URL** - should be filled with values provided by the API
* **Additional params for Access Token request** - any additional parameters that need to be added to the access token, for example, `entity_id`. They are added to the access token request's body.
* **Scope** - a space-delimited list of permissions granted to the data source

{% hint style="info" %}
When the **Require personal user token** checkbox is enabled, each user will be asked to authorise their access to API. Each user will have their own token. \
Data sources with personal tokens can't be used in automations or in public apps by anonymous users. If the *personal token* checkbox is not selected, then the token acquired during the data source creation will be used by all users.
{% endhint %}

<figure><img src="/files/YmY1rzpXox8Q6KDCAwWr" alt=""><figcaption></figcaption></figure>

#### How to use request data with OAuth 2.0

In the *Data source configuration*, you can use the `UI_BAKERY_OAUTH2_TOKEN` placeholder which will be replaced with the token value during the request. If the ID token was requested, you can use the `UI_BAKERY_OAUTH2_ID_TOKEN` placeholder as well.

By default, the header `Authorization: Bearer UI_BAKERY_OAUTH2_TOKEN` will be automatically added to each request to the data source with OAuth 2.0 enabled. You can override this behavior by adding your own *Authorization* header.

On the **Enterprise** plan, you can use the `UI_BAKERY_SSO_TOKEN` placeholder - it will be replaced by the token from the SSO authentication.

#### Token refresh

UI Bakery will try to automatically refresh the token if it's returned by API during authorization. If token refresh is not possible, the users will be prompted to give access each time the token expires.

### API Key

This authentication method involves sending an API key along with the request. An API key is a unique identifier issued by the API provider to authorized users or applications and is used to identify and track API usage.

The **API Key** you specify in the *Authentication settings* section will be added as an Authorization header with the `Bearer {API_KEY}` value and it will be encrypted.

### Mutual TLS (mTLS)

This authentication method involves using mTLS to authenticate requests. With mTLS, both the client and the API server verify each other’s identity using TLS certificates before any HTTP request is processed.

You need to specify the **Client certificate** and **Client key** that will be used to establish a secure TLS connection with the API. *Certificate authority* and *Client key passphrase* are optional but you can also add them if necessary.

<figure><img src="/files/86xmVH1MiHuJvIyLJKqS" alt=""><figcaption></figcaption></figure>

## Usage

Once you have established the connection between UI Bakery and the required application via API, you can further access and [manage its data](/reference/data-sources/http.md#usage).


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.uibakery.io/reference/data-sources/http/api-authentication.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.