Authenticating API Requests

Flowmill APIs use role-based permissions, encoded using a time-limited JWT token, to allow or deny requests. There are currently two roles that a JWT token may encode:

  • Admin. Admins are capable of managing other users.

  • User. Users are capable of performing most actions.

Scripts can programmatically request a JWT token from the Authz Service using API keys.

Create an API Key and Secret

To create an API key, navigate to the API Keys Tab, located under the Settings Panel within the Flowmill UI.

!!! note "Note: API Keys are scoped by Tenant ID" API keys are scoped by tenant ID. If you have multiple tenants, you will need to create an API key per tenant that you wish the access.

Request a JWT Token

The following code shows how to request a JWT token using an API key:

import json
import flowmill
# API keys start with the string KFIA (KFII keys are for Agents)
key = 'KFIA...'
secret = '...'
config = flowmill.Configuration()
config.api_key['Authorization'] = secret
config.api_key_prefix['Authorization'] = 'Bearer'
authz_client = flowmill.AuthzServiceApi(flowmill.ApiClient(config))
token = authz_client.get_token_from_key(key)
print('ERROR: Failed to fetch JWT token')
print('Received token with lifetime {}s'.format(int(token.expiration_s) - int(token.issued_at_s)))

This token can now be used to authenticate with the remaining Flowmill APIs.

JWT tokens are valid for 10 minutes.

Using a JWT Token

Given a JWT token, you can now create a configuration for the remaining APIs:

config = flowmill.Configuration()
config.api_key['Authorization'] = token
config.api_key_prefix['Authorization'] = 'Bearer'
api_client = flowmill.ApiClient(config)

This api object can now be passed into one of the ServiceApi objects to enable authorization / authentication with those APIs. To get started, try listing all users in your tenant using the TenantsServiceApi.