API Authentication
Secure access to the Infodeck API using API Keys.
Authentication Methods
| Method | Status | Header | Plan Required |
|---|---|---|---|
| API Key | Recommended | X-API-Key: idt_live_xxx... | Professional / Enterprise |
| JWT Token | Legacy (deprecating June 30, 2026) | Authorization: Bearer <token> | Professional / Enterprise |
JWT authentication and Bearer token headers are deprecated and will be removed on June 30, 2026.
Please migrate to API Key authentication before this date. See Migration Guide below.
API Key Authentication (Recommended)
API Keys provide simple, secure access for external integrations without login flows or token refresh.
Benefits
- No login required — Create once, use forever (until revoked)
- No token refresh — Keys don't expire
- Bypasses 2FA — Not affected by user 2FA settings
- Audit trail — Usage tracking with IP, user agent, and request counts
API Key Format
idt_live_[32 alphanumeric characters]
- Prefix:
idt_live_(9 characters) - Secret: 32 random alphanumeric characters
- Total length: 41 characters
- Example:
idt_live_4JtUAvekCZ5lktALZBiVyiKcwtsdbfM7
Creating an API Key
Option 1: Via Web App (Recommended)
- Navigate to Settings > API Keys
- Click Create API Key
- Enter a descriptive name (e.g., "Power BI Connector", "Zapier Integration")
- Copy and securely store the key — it's only shown once
Option 2: Via API (requires existing authentication)
curl -X POST https://app.infodeck.io/api/organizations/{organizationId}/api-keys \
-H "Authorization: Bearer <your-jwt-token>" \
-H "Content-Type: application/json" \
-d '{
"name": "My Integration Key"
}'
Using an API Key
Add the X-API-Key header to all requests:
curl https://app.infodeck.io/api/organizations/{orgId}/work-orders \
-H "X-API-Key: idt_live_4JtUAvekCZ5lktALZBiVyiKcwtsdbfM7"
const response = await fetch(
`https://app.infodeck.io/api/organizations/${ORG_ID}/work-orders`,
{
headers: {
'X-API-Key': 'idt_live_4JtUAvekCZ5lktALZBiVyiKcwtsdbfM7'
}
}
);
import requests
response = requests.get(
f"https://app.infodeck.io/api/organizations/{ORG_ID}/work-orders",
headers={"X-API-Key": "idt_live_4JtUAvekCZ5lktALZBiVyiKcwtsdbfM7"}
)
Managing API Keys
| Endpoint | Method | Description |
|---|---|---|
/organizations/{orgId}/api-keys | POST | Create a new API key |
/organizations/{orgId}/api-keys | GET | List all API keys |
/organizations/{orgId}/api-keys/{keyId} | GET | Get key details |
/organizations/{orgId}/api-keys/{keyId} | DELETE | Revoke a key (permanent) |
Rate Limits
| Limiter | Threshold | Window |
|---|---|---|
| Successful requests | 1,000 | 1 minute per key |
| Failed auth attempts | 5 | 15 minutes per IP |
| Key creation | 10 | 1 hour per organization |
Security Best Practices
- Store keys securely — Use environment variables or a secrets manager
- Never commit keys to source control — Add to
.gitignore - Use descriptive names — Name keys after their integration
- One key per integration — Enables targeted revocation
- Rotate keys regularly — Create new, then revoke old
- Monitor usage — Check last used IP and request counts
JWT Authentication (Legacy)
JWT authentication is deprecated and will be removed on June 30, 2026. Please migrate to API Keys.
JWT tokens require a login flow and periodic refresh. This method is being phased out in favor of API Keys.
How JWT Works
- Login — POST credentials to
/authentications/tokens - Extract tokens — Access token, refresh token, ID token
- Make requests — Include token in Authorization header
- Refresh — Tokens expire after 1 hour; use refresh token to get new ones
JWT Login Example
// Step 1: Login
const loginResponse = await fetch('https://app.infodeck.io/api/authentications/tokens', {
method: 'POST',
headers: { 'Content-Type': 'application/json' },
body: JSON.stringify({ account: 'user@example.com', password: 'xxx' })
});
const { data } = await loginResponse.json();
const { token, idToken, refreshToken } = data;
// Step 2: Extract organization ID from idToken
const payload = JSON.parse(atob(idToken.split('.')[1]));
const organizationId = payload.organizationId;
// Step 3: Make API requests
const response = await fetch(`https://app.infodeck.io/api/organizations/${organizationId}/assets`, {
headers: {
'Authorization': `Bearer ${token}`
}
});
Migrating from JWT to API Keys
Step 1: Check Your Plan
API Keys require Professional or Enterprise plan. Check your plan in Settings > Subscription.
Step 2: Create API Keys
- Go to Settings > API Keys
- Create a key for each integration currently using JWT
- Store keys securely
Step 3: Update Your Code
Before (JWT):
// Login required
const { token } = await login(email, password);
const response = await fetch(url, {
headers: { 'Authorization': `Bearer ${token}` }
});
After (API Key):
// No login needed
const response = await fetch(url, {
headers: { 'X-API-Key': 'idt_live_xxx...' }
});
Step 4: Remove JWT Code
Once all integrations use API Keys, remove:
- Login/authentication code
- Token refresh logic
- Token storage
Error Responses
| Status | Error | Cause |
|---|---|---|
401 | Invalid API key format | Key doesn't match idt_live_ pattern |
401 | Invalid API key | Key not found |
401 | API key has been revoked | Key was revoked |
403 | API access requires Professional or Enterprise plan | Plan doesn't include API access |
429 | Too many requests | Rate limit exceeded |
FAQ
Q: Do I need to call the login endpoint when using API Keys?
No. API Keys bypass login entirely. Just add the X-API-Key header.
Q: Does 2FA affect API Key authentication? No. 2FA only applies to the login flow. API Keys are independent.
Q: Can I use both API Key and JWT in the same request?
The API checks for X-API-Key first. If present, it uses API Key auth and ignores the Authorization header.
Q: What happens if my plan is downgraded?
API Keys stop working immediately with a 403 error.
Q: Can I recover a revoked key? No. Revocation is permanent. Create a new key instead.
Need help migrating? Contact Support