Authorizing API requests

A Qlik Sense API is a protected resource. To access the API, you must be a tenant admin. The API can also be accessed in a machine-to-machine scenario using a valid client credentials grant. (For a definition of the client credential grant, see Client Credentials Grant.) All requests sent to the API must be accompanied by a Bearer Access Token. The Access Token informs the API that the bearer of the token has been authorized to access the API and perform actions limited by the scope that has been granted.

The following diagram illustrates the flow for authenticating and authorizing API requests.

Authentication and authorization flow:

  1. The developer creates a machine-to-machine application and API for programmatic authentication through their Identity Provider (IdP) account and gets the client ID and client secret (client credentials). This is a one-time operation that must be performed before requesting an Access Token.
  2. The developer sends a request for an Access Token to the IdP. The client credentials are included in the request in either an authorization header or in the body, depending on the IdP.
  3. After user authentication, the IdP sends the Access Token to the developer.
  4. The developer sends an HTTP request with the Access Token to the Qlik Sense API. The API receives the request and validates the Access Token.

Authorizing API requests with Auth0

You can configure Auth0 as an Identity Provider (IdP) for use with Qlik Sense. For Auth0 setup instructions, see Configuring an Auth0 identity provider.

To get the Access Token, you must make a POST request to the IdP's token endpoint. We assume that you have created an Auth0 IdP account and tenant. Make sure you have the following information:

  • The name of your Auth0 tenant
  • Client ID and client secret (collected from your IdP application)
  • Your API identifier (configured with your IdP API)

In this implementation of Auth0, the client credentials grant type is used. The client ID and client secret are passed to the token endpoint in the body of the request.

Authorizing API requests with Okta

You can configure Okta as an IdP for use with Qlik Sense Enterprise for elastic deployments. For Okta IdP setup instructions, see Configuring an Okta identity provider.

To get the Access Token, you must make a POST request to the IdP's token endpoint. We assume that you have created an Okta IdP account and tenant. Make sure you have the following information:

  • The name of your Okta tenant
  • Client ID and client secret (collected from your IdP)

In this implementation of Okta, the client credentials grant type is used. The client ID and client secret are encoded to Base64 format and passed to the token endpoint in the HTTP authorization header of the request.