authentik/website/developer-docs/api/api.md

---
title: API
---

Starting with 2021.3.5, every authentik instance has a built-in API browser, which can be accessed at https://authentik.company/api/v3/.

To generate an API client, you can use the OpenAPI v3 schema at https://authentik.company/api/v3/schema/.

While testing, the API requests are authenticated by your browser session.

## Authentication

For any of the token-based methods, set the `Authorization` header to `Bearer <token>`.

### Session

When authenticating with a flow, you'll get an authenticated Session cookie, that can be used for authentication. Keep in mind that in this context, a CSRF header is also required.

### API Token

Superusers can create tokens to authenticate as any user with a static key, which can optionally be expiring and auto-rotate.

### JWT Token

OAuth2 clients can request the scope `goauthentik.io/api`, which allows their OAuth Refresh token to be used to authenticate to the API.
website: add comparison based on vector.dev's site Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> 2021-03-18 21:02:04 +00:00			`---`
			`title: API`
			`---`

api: add v3 Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> 2021-09-02 15:40:02 +00:00			`Starting with 2021.3.5, every authentik instance has a built-in API browser, which can be accessed at https://authentik.company/api/v3/.`
website: add comparison based on vector.dev's site Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> 2021-03-18 21:02:04 +00:00
api: add v3 Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> 2021-09-02 15:40:02 +00:00			`To generate an API client, you can use the OpenAPI v3 schema at https://authentik.company/api/v3/schema/.`
website: add comparison based on vector.dev's site Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> 2021-03-18 21:02:04 +00:00
website: separate development docs Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> 2021-04-18 15:25:03 +00:00			`While testing, the API requests are authenticated by your browser session.`
website: add comparison based on vector.dev's site Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> 2021-03-18 21:02:04 +00:00
api: add basic jwt support with required scope (#2624) * api: add basic jwt support with required scope Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> * api: only set auth_via when actually authenticating via token Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> * save consented permissions in user consent, re-prompt when new permissions are required Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> * update locale Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> * translate special scope map Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> * more api auth tests Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> * add docs Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> * build web api in e2e tests Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> * link generated client instead of copying Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> 2022-06-26 15:51:15 +00:00			`## Authentication`

			For any of the token-based methods, set the `Authorization` header to `Bearer <token>`.

			`### Session`

			`When authenticating with a flow, you'll get an authenticated Session cookie, that can be used for authentication. Keep in mind that in this context, a CSRF header is also required.`

			`### API Token`

			`Superusers can create tokens to authenticate as any user with a static key, which can optionally be expiring and auto-rotate.`

			`### JWT Token`

			OAuth2 clients can request the scope `goauthentik.io/api`, which allows their OAuth Refresh token to be used to authenticate to the API.