Service authentication
This guide explains how to use OAuth 2.0 authentication to protect your Automator services using the Client Credentials Grant flow as defined in RFC 6749 Section 4.4.
Table of contents
Overview
OAuth 2.0 authentication provides a secure way to protect your service endpoints using industry-standard token-based authentication. When a service is protected with OAuth, external applications must:
- Obtain an access token using valid OAuth credentials
- Include the access token in the
Authorizationheader when calling the service - Refresh the token before it expires (tokens are valid for 1 hour)
Setting Up OAuth for a Service
Step 1: Configure Service Authentication
- Open your profile in the Automator web interface
- Navigate to the Services section
- Select the service you want to protect
- In the Authentication Method dropdown, select OAuth 2.0 (Client Credentials)
Step 2: Generate OAuth Credentials
- Click the Add button next to the dropdown
- The system will generate:
- Client ID: A unique identifier (starts with
svc_) - Client Secret: A secret key for authentication
- Client ID: A unique identifier (starts with
- IMPORTANT: Copy the client secret immediately - it will not be shown again
- Store both the client ID and secret securely
- Save your profile
The service endpoint is now protected using OAuth 2.0.
Using OAuth Authentication
Step 1: Obtain an Access Token
External applications must first obtain an access token by calling the OAuth endpoint:
curl -X POST https://automator.example.com/oauth/token \
-H "Content-Type: application/x-www-form-urlencoded" \
-d "grant_type=client_credentials" \
-d "client_id=svc_abc123..." \
-d "client_secret=def456..." \
-d "service_uuid=12345678-1234-1234-1234-123456789abc" \
-d "profile=my-profile" \
-d "environment=production"
Success Response:
{
"access_token": "eyJhbGciOiJSUzI1Ni...",
"token_type": "Bearer",
"expires_in": 3600,
"scope": "service:call"
}
Access tokens are valid for 1 hour (3600 seconds). Applications should check the expires_in field in the token response and request a new token before the current one expires.
Step 2: Call the Protected Service
Use the access token in the Authorization header when calling your service:
curl -X POST https://automator.example.com/service/my-profile/production/json/my-service \
-H "Authorization: Bearer eyJhbGciOiJSUzI1Ni..." \
-H "Content-Type: application/json" \
-d '{"data": "value"}'
Managing OAuth Credentials
Viewing Credentials
In the service editor, you can see:
- All active credentials for the service
- The client ID for each credential
- When each credential was created
Note: Client secrets are only shown once during generation for security reasons.
Deleting Credentials
To remove a credential:
- Click the "Remove" button next to the credential
- Confirm the deletion
- Save your profile
Warning: Deleting a credential will immediately invalidate all tokens issued with it.
Credential Rotation
Services support up to 2 credentials simultaneously for seamless rotation.
To rotate credentials without downtime:
- Generate a new credential while keeping the old one active
- Update your applications to use the new credential
- Verify all applications are using the new credential
- Delete the old credential