Getting Started

API Authentication


Getting started with the Auth Armor API is fast and easy.

Api Url:

Note: HTTPS is required.

API Access and Authentication

The Auth Armor API uses the Oauth2 Client Credentials flow to authenticate API calls.

For Oauth2 Client Credentials flow, you will need to request a bearer token from our Oauth2 auth server.

You will need to obtain a client_id and a client_secret to access generate bearer tokens. Please visit the dashboard at, select your project, then create backend private API client. Using this information, you can generate bearer tokens to access the api. For more information, see How to create API clients using the dashboard

There are many tools that can help generate bearer tokens for you. Postman has integration for generating bearer tokens as well and we recommend using Postman to assist with your implementation.


Auth Armor OAuth2 Server Token endpoint

If you are not using any tools, you can still request bearer tokens with a simple http request. See below

POST /connect/token HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Content-Length: [dynmaic]



  • client_id
  • client_secret

Username or user_id

When you are using an API that requires the context of a user in the route, for example, Get User Info, the route requires you pass a user_id in the route. In the case you wish to pass a username instead of a user_id you can use a an optional header called X-AuthArmor-UsernameValue to pass the username. When you do this, you must pass an empty UUID as the user id (example: 00000000-0000-0000-0000-000000000000)

Example route:
Example header: X-AuthArmor-UsernameValue: [email protected]

GET /v3/users/00000000-0000-0000-0000-000000000000 HTTP/1.1
Content-Type: application/json
X-AuthArmor-UsernameValue: [email protected]

Privacy and Security

We do this for a specific reason. Privacy and security. Headers are encrypted when using TLS/HTTPS. A url route is not. Most routers log route data. This means if you have usernames that are email addresses, and they are put inside the route, then this information is getting logged somewhere and can be data farmed.

Because of this, we only accept the user_id in the route, and if you wish to use a username, it can be passed inside the header. This gives you, the developer, more flexibility along with better security and privacy.

What’s Next