Skip to main contentMost API requests will need to authenticate against the Isometric API in two ways simultaneously:
- By passing a client secret in the
X-Client-Secret header to identify the system integrating with the API.
- By passing an access token in the
Authorization header to authenticate as a specific organization, in order to gain access to its private data.
Client Authentication
Every API call to Isometric must include a client secret identifying the client application.
This client secret is tied to a particular environment - sandbox or production.
The client secret should be submitted on every API request via the X-Client-Secret header. For example X-Client-Secret: uPrO...wxAh.
Organization Authentication
In addition, a large number of API requests will require an access token in order for the caller to identify themselves and act as a specific Organization.
To authenticate as an Organization you will need to submit a JWT bearer access token via the Authorization header. For example: Authorization: Bearer eyJh...sw5c.
If you are going to be acting on behalf of other Organizations, they will need to generate the access token and pass it securely to you.
Access tokens should be treated as highly sensitive, kept secret and stored accordingly.
Access tokens are scoped to a single Organization - so if you are acting on behalf of multiple particular organizations, you will need to submit the appropriate access token on each request.
Managing Credentials
Credentials can be managed through Certify UI in the Team settings section. Access tokens will expire after 1 year from generation. When you are approaching expiry, a new token will need to be generated.
Both client secrets and access tokens can be created and invalidated through UI.
Client secrets do not expire and do not need to be rotated.
If either secret becomes compromised, it should be invalidated through the UI. 
