Skip to main content
This page is for Authlete 2.x. For 3.0, see Authentication (3.0).

Authentication (2.x)

Authlete 2.x APIs are secured using HTTP Basic authentication. You authenticate with your API key (service API key) and API secret — not with Bearer tokens. Include them in every request to the Authlete 2.x API (api.authlete.com).

How to authenticate

Use HTTP Basic auth with your API key as the user name and your API secret as the password. Header format: 
Authorization: Basic <base64(API_KEY:API_SECRET)>
Example with curl: 
curl -X POST "https://api.authlete.com/api/auth/authorization" \
  -u '<API_KEY>:<API_SECRET>' \
  -H "Content-Type: application/json" \
  -d '{"parameters": "response_type=code&client_id=..."}'
The -u option in curl sends the credentials as HTTP Basic auth. Replace <API_KEY> and <API_SECRET> with your service’s API key and API secret.

Getting your API key and API secret (2.x)

In Authlete 2.x, each service has one API key and one API secret. They identify and authenticate your authorization server when it calls Authlete. How to get them
  1. Sign up or log in at Service Owner Console (2.x).
  2. Open your service (or create one).
  3. In the service settings, find API Key and API Secret.
  4. Copy and store them securely. Use the API key as the “username” and the API secret as the “password” for Basic auth.
You use the same API key and secret for all Authlete 2.x API calls for that service (e.g. /auth/authorization, /auth/token, /auth/introspection). There are no separate “Service Access Token” or “Organization Token” in 2.x — only the API key and secret.
Security: Treat your API key and API secret as secrets. Do not commit them to version control or expose them in client-side code. Use environment variables or a secret manager.

Quick test (2.x)

Verify your credentials with a simple call: 
curl -s -X POST "https://api.authlete.com/api/auth/authorization" \
  -u '<API_KEY>:<API_SECRET>' \
  -H "Content-Type: application/json" \
  -d '{"parameters": "response_type=code&client_id=YOUR_CLIENT_ID&redirect_uri=https://example.com/cb"}'
Replace <API_KEY>, <API_SECRET>, and YOUR_CLIENT_ID with your service API key, API secret, and a valid client ID for that service. A successful response will include an action (e.g. INTERACTION) and a ticket.

Summary: 2.x vs 3.0

Authlete 2.xAuthlete 3.0
Auth methodHTTP Basic (API key + API secret)Bearer token (Service or Organization access token)
Where to getService Owner Console (so.authlete.com)Authlete Console (console.authlete.com) — Service or Organization → Access Tokens
ScopeOne key/secret per serviceService Access Token (per service) or Organization Token (org-wide)
For 3.0 authentication (Bearer tokens, Service and Organization tokens), see Authentication (3.0).

Next steps