Authentication and Authorization

Authentication and Authorization applies for both Python SDK and REST API

All API endpoints require authentication via the OAuth 2.0 protocol. To interact with our resources, you must first generate a Client ID and Client Secret.

Create an OAuth Client

Navigate to the Admin Panel to register your application:

Setup > OAuth 2.0 Clients > Add (Direct link: apps.catapa.com/dashboard/.../oauth-client/add)

3. Choose Your Grant Type

In accordance with RFC 6749, CATAPA supports two main flows:

• Client Credentials: Used for server-to-server communication (machine-to-machine).

• Authorization Code: Used to perform actions on behalf of a specific user.

For public API use case, please choose Client Credentials

Once you fill out the required fields, a dialog box will display your credentials.

Save these credentials immediately. The Client Secret is shown only once and should be kept strictly confidential. Do not commit these to public repositories.

Now that you have your client ID and Client secret in hand, next you need to change them to Token.

Creating Bearer Token

If you're using Python SDK, you don't need to create this bearer token.

For Python SDK, you can pass the Client ID and Client Secret directly to the SDK.

if you are using REST API, you need to generate bearer token by yourself.

Use the acquired Client ID, Client Secret to generate the bearer token

Client Credential

curl https://api.catapa.com/oauth/token \
  -u "<Client ID>:<Client Secret>" \
  -H "Tenant: <Tenant Code>" \
  -H "Content-Type: application/x-www-form-urlencoded" \
  -d "grant_type=client_credentials"

Change <Client ID> and <Client Secret> with the one that you get from the Apps.

And change the <Tenant Code> with your tenant code.

You should get something like this as a return

{
  "access_token": "<Access Token>",
  "token_type": "bearer",
  "expires_in": 3600
}

Now that you have obtained the bearer token, how do you use it? Every request that you send, must have that bearer token in the header.

Security Headers

Every request must include the following headers:

Header	Description
Tenant	Your unique tenant identifier (e.g., catapa).
Authorization	Your access token formatted as Bearer <Access Token>.

Notice that token is not forever. they have lifetime. You can see the lifetime of a token when you generate a new one in the expire_in key which is in second. the default is 3600 seconds.

if the token has expired, you need to regenerate the bearer token again Creating Bearer Token