Create a Secret

API credentials for both endpoint systems must be created and added to the Secret Service. This allows the data flow to access API tokens, etc. securely, without having them hardcoded into the flow configuration, making them visible to anyone with read access to the flow. This also allows the credentials to be stored encrypted at rest.

  1. Open the Postman Collection.
  2. Open Secret Service > POST: Create a secret.
  3. Ensure the appropriate “Environment” is selected (top-right)
  4. In the “body” tab, enter the appropriate data to create a secret of the desired type. Make sure to include tenant ownership.

Example of an API Key Secret:

Copy
Copied
{
  "data": {
    "value": {
     "key": "<key>"
    }
    "tenant": "<tenant id>",
    "type": "API_KEY",
    "name": "<some identifiable name>",
  }
}

Example of a Bearer Token:

Copy
Copied
{
  "data": {
    "value": {
      "headerName": "Authorization",
      "key": "Bearer <token>"
    },
    "tenant": "<tenant id>",
    "type": "API_KEY",
    "name": "<some identifiable name>",
  }
}

Example of Basic Authentication:

Copy
Copied
{
  "data": {
    "value": {
      "username": "<username>",
      "passphrase": "<password>"
    },
    "tenant": "<tenant id>",
    "type": "SIMPLE",
    "name": "<some identifiable name>",
  }
}

Example of Oauth Token:

Copy
Copied
{
    "data": {
        "name": "<some identifiable name>",
        "type": "OA2_AUTHORIZATION_CODE",
        "tenant": "<tenant id>",
        "value": {
            "authClientId": "<auth client>",
            "refreshToken": "<refresh token>",
            "accessToken": "<access token>",
            "scope": "<oauth scope values>",
            "expires": ""
        }
    }
}
  1. Click “Send” to create the secret.
  2. Save the secret ID. You’ll use it to refer to that credential when configuring API calls in your flows.

It’s important to be very careful about who has access to secrets. These hold potentially powerful credentials to your users’ systems. Limit access for both people and applications to the bare minimum necessary to support your integrations.

Oauth Clients

The OIH Secret Service uses "auth clients" to facilitate the Oauth flow and create an Oauth secret.

Example of Auth Client:

Copy
Copied
{
  "data": {
    "clientId": "<API key>",
    "clientSecret": "<API secret>",
    "redirectUri": "<redirect URI>",
    "endpoints": {
        "auth": "<authorization URL>",
        "token": "<access token URL>"
    },
    "tenant": "<tenant id>",
    "type": "OA2_AUTHORIZATION_CODE",
    "name": "<some identifiable name>",
  }
}