Authentication method

How to authenticate API requests

Alloy API requests must be made over HTTPS. Calls made over plain HTTP will fail!

Additionally, all requests must include a valid API key. If you don't include one, or use one that's outdated, Alloy will return an HTTP 401 error. To receive an API key, please contact your Alloy administrator.

To authenticate your requests, use the Authorization header with the bearer scheme (RFC 6750):
Authorization: Bearer <token>

Caution

Your API keys carry many privileges, so please keep them secure! Don't share your secret API keys in publicly accessible areas, such as GitHub or client-side code.

Example JavaScript

This demonstrates making an authenticated API call to return session data for the supplied API key. For more information, see the Session endpoints on Swagger and ReDoc.

// load a http request library
const axios = require('axios');

// enter your api key here!
const apiKey = 'e0e3a4ef-5ec8-4e05-ac25-a34adadf4a80';

// make a call to the api using the api key in the query string
axios({
  method: 'GET',
  url: 'https://api.uk.alloyapp.io/api/session/me',
  headers: { Authorization: `Bearer ${apiKey}` },
})
  .then((response) => {
    // output the response data to the console
    console.log(response.data);
  })
  .catch((error) => {
    // output any error data to the console
    console.log(error.response.data);
  });

Deprecated methods

The following authentication methods are deprecated and will no longer be accepted from 2025:

A token URL parameter:
https://uk.alloyapp.io/api/session/me?token=<value>
A token header:
Token: <value>

How to authenticate API requests​

Example JavaScript​

Deprecated methods​

How to authenticate API requests

Example JavaScript

Deprecated methods