Authentication Types

Overview

Authentication types provide service authentication for securely connecting to external services from the Unqork Designer Platform. Service authentication manages the credentials for authentication and allows access to external APIs in your application.

Discover more service settings in our Services Administration article, or, learn how to add a service to the environment in our Administration Services - How to: Add a Service article.

Click on the tabs below to learn more about authentication for services, encryption, and FTP:

Authentication Service Type Settings

Creators can set up access to dozens of services using the Authentication Service Type. Refer to each service's API access documentation to see which authentication method they use, and what keys must be obtained to access.

Client Secrets, passwords, and other service information are encrypted and stored in the local database.

Using the menu below, select a service to discover its settings:

Service

No Authentication

No Authentication provides support for SOAP Digital Signatures.

To learn how to set up SOAP Digital Signatures, view our Enabling Soap Digital Signatures article in the Doc Hub.

OAuth2 Client Credentials Grant

Use the OAuth2 Client Credentials grant when applications request an access token to access their own resources.

To learn more about the OAuth 2.0 Client Credentials Grant, view the following documentation: https://www.oauth.com/oauth2-servers/access-tokens/client-credentials/.

Setting	Description
Access Token URL	Enter the URL that provides the OAuth Access Token An OAuth Access Token is a string that the OAuth client uses to make requests to the resource server.. For example, https://account-d.docusign.com/oauth/token.
Client ID	Enter the Client ID The client_id is a public identifier for apps. provided by the service. Here's an example of a Client ID from Okta: 0oa2hl2inow5Uqc6c357.
Client Secret	Enter the Client Secret The client secret is a secret known only to the application and the authorization server. The client secret acts as the applications password to the server. value provided by the service. Client Secrets commonly use cryptographically-generated values to improve access security.
Scope	Enter the access Scope Scope is a tool that limits an application's access to a user's account. An application can request one or more scopes, this information is then presented to the user in the consent screen, and the access token issued to the application will be limited to the scopes granted. value. Available scopes are dependent on the service. For example, Slack provides the following scopes: read, write, and history.
Send Client ID/Secret in Body Instead of Header	When set to (checked), it sends the Client ID and Client Secret values in the body of an HTTP Request.
Perform Authentication Only	If authentication is valid, the token is sent back immediately.
Enable Token Persistence	When making requests, tokens are valid until their expiration time. At expiration, the token is no longer stored in Unqork's persisted storage. Requests after the expiration time no longer have an active token, and the service will attempt to retrieve a new one. If successful, the request continues and stores the new token. When set to (checked), this setting minimizes the number of additional authentication requests made, and the number of tokens to maintain. It does not determine whether your requests are successful or not.
Refresh Token	When setting Enable Token Persistence to (checked), the Refresh Token button displays. Click this button when an issue occurs with the connected service and your token is revoked. Clicking this button refreshing the token so you can continue to make requests.
Enable Mutual TLS	When set to (checked), it enables mLTS (Mutual Transport Layer Security) certificate selection. To learn how to add and manage certificates using Certificate Management, view our Certificate Management article in the Doc Hub.

OAuth2 Password Grant

The OAuth 2.0 Password Grant exchange's the user's username and password for an access token.

To learn more about the OAuth 2.0 Password Grant, view the following documentation: https://www.oauth.com/oauth2-servers/access-tokens/password-grant/.

Setting	Description
Access Token URL	Enter the URL that provides the OAuth Access Token An OAuth Access Token is a string that the OAuth client uses to make requests to the resource server.. For example, https://account-d.docusign.com/oauth/token.
Client ID	Enter the Client ID The client_id is a public identifier for apps. provided by the service. Here's an example of a Client ID from Okta: 0oa2hl2inow5Uqc6c357.
Client Secret	Enter the Client Secret The client secret is a secret known only to the application and the authorization server. The client secret acts as the applications password to the server. value provided by the service. Client Secrets commonly use cryptographically-generated values to improve access security.
Scope	Enter the access Scope Scope is a tool that limits an application's access to a user's account. An application can request one or more scopes, this information is then presented to the user in the consent screen, and the access token issued to the application will be limited to the scopes granted. value. Available scopes are dependent on the service. For example, Slack provides the following scopes: read, write, and history.
Send Client ID/Secret in Body Instead of Header	When set to (checked), it sends the Client ID and Client Secret values in the body of an HTTP Request.
Send authentication body as 'application/json' instead of 'application/x-www-form-urlencoded' (uncommon)	When set to (checked), encodes the authentication body as JSON JSON (JavaScript Object Notation) is an open standard file and data interchange format. Unqork uses JSON for submission (record) data..
Username	Enter the username used to access the service.
Password	Enter the password used to access the service.
Perform Authentication Only	If authentication is valid, the token is sent back immediately.
Enable Mutual TLS	When set to (checked), it enables mLTS (Mutual Transport Layer Security) certificate selection. To learn how to add and manage certificates using Certificate Management, view our Certificate Management article in the Doc Hub.

OAuth 2 JWT Bearer Grant

The OAuth 2.0 Bearer Grant grant uses a JSON Web Token to carry additional information in the payload.

To learn more about the OAuth 2 JWT Bearer Format, view the following documentation: https://datatracker.ietf.org/doc/html/rfc7523.

Setting	Description
Access Token URL	Enter the URL that provides the OAuth Access Token An OAuth Access Token is a string that the OAuth client uses to make requests to the resource server.. For example, https://account-d.docusign.com/oauth/token.
Issuer (Client ID)	Enter the Client ID The client_id is a public identifier for apps. provided by the service. Here's an example of a Client ID from Okta: 0oa2hl2inow5Uqc6c357.
Subject	Enter the principal of the JWT, this is usually the user id.
Audience	The audience parameter is a list of case-sensitive URLs that cannot contain whitespaces. For example, ["https://api.my-cloud.com/user", "https://some-tenant.my-cloud.com/"].
Scope(s) to access	Enter the access Scope Scope is a tool that limits an application's access to a user's account. An application can request one or more scopes, this information is then presented to the user in the consent screen, and the access token issued to the application will be limited to the scopes granted. value. Available scopes are dependent on the service. For example, Slack provides the following scopes: read, write, and history.
Token Expires in (seconds)	Set the amount of time before the access token expires, in seconds. For example, to make a token expire in 90 minutes, enter 5400. (There are 5,400 seconds in 90 minutes.) Default token expiration is 60 minutes.
Signing Algorithm	Specify an algorithm. he most common signing algorithms for JWTs are HS256 (HMAC using SHA256) and RS256 (RSA using SHA256). For more information on signing algorithm, view this link: https://www.npmjs.com/package/jsonwebtoken#algorithms-supported.
Shared/Private Key	Enter the key used to access the service.
Perform Authentication Only	If authentication is valid, the token is sent back immediately.
Enable Mutual TLS	When set to (checked), it enables mLTS (Mutual Transport Layer Security) certificate selection. To learn how to add and manage certificates using Certificate Management, view our Certificate Management article in the Doc Hub.

OAuth2 JWT Client Credential Grant Extended

The OAuth 2.0 Client Credential grant uses a JSON Web Token to carry additional information in the payload.

Setting	Description
Access Token URL	Enter the URL that provides the JWT Access Token An OAuth Access Token is a string that the OAuth client uses to make requests to the resource server.. For example, https://account-d.docusign.com/oauth/token.
Client ID	Enter the Client ID The client_id is a public identifier for apps. provided by the service. Here's an example of a Client ID from Okta: 0oa2hl2inow5Uqc6c357.
Module ID	The module ID associated with this service.
Secret key for user authorization Jwt signing	Enter the key used to authorize the JSON Web Token signing.
Encryption key for user authorization header	Enter the encryption key value used to authorize the user.
Certificate Pem	The certificate containing the Private Key.
Private Key Pem	The key contained in the certificate.
Enable Mutual TLS	When set to (checked), it enables mLTS (Mutual Transport Layer Security) certificate selection. To learn how to add and manage certificates using Certificate Management, view our Certificate Management article in the Doc Hub.

Bearer Token

Bearer authentication uses security tokens called bearer tokens. Bearer tokens are cryptic strings generated by the server in response to a login request.

Setting

Description

Bearer Token

Enter the bearer token value provided by the external service.

Enable Mutual TLS

When set to Checked Box Icon (checked), it enables mLTS (Mutual Transport Layer Security) certificate selection.

To learn how to add and manage certificates using Certificate Management, view our Certificate Management article in the Doc Hub.

WSSE Username Token Profile

A Web Services Security Extension is an extension of SOAP to apply security to Web services. It is a member of the Web service specifications and published by OASIS.

To learn more about the WSSE Username Token Profile format, view the following documentation: https://docs.oasis-open.org/wss/v1.1/wss-v1.1-spec-pr-UsernameTokenProfile-01.htm.

Setting

Description

Username

Enter the username used to access the service.

Password

Enter the password used to access the service.

Enable SOAP Digital Signature

A SOAP digital signature is a value computed with a cryptographic algorithm. When that value sends as part of a request, it lets the recipient verify the security and integrity of the incoming data.

To learn how to set up SOAP Digital Signatures, view our Enabling Soap Digital Signatures article in the Doc Hub.

Twilio

The Twilio REST API allows you to query metadata about your account, and send text messages.

To learn more about the Twilio API, view the following documentation: https://www.twilio.com/docs/iam/api-keys.

Setting	Description
Account SID	Enter the 34-digit String Identifier (SID) key provided by the Twilio resource.
Auth Token	Enter the URL that provides the OAuth Access Token An OAuth Access Token is a string that the OAuth client uses to make requests to the resource server.. For example, https://account-d.docusign.com/oauth/token.
Number	Enter the phone number assigned by Twilio to send text messages.
Express Domain	Enter the express domain assigned by twilio.

Plaid

The Plaid service enables access to Plaid's technology data transfer platform for financial products.

To learn more about the Plaid API, view the following the documentation: https://plaid.com/docs/api/.

Setting	Description
Client ID	Enter the Client ID The client_id is a public identifier for apps. provided by the service. Here's an example of a Client ID from Okta: 0oa2hl2inow5Uqc6c357.
Public Key	Enter the static public_key provided by Plaid. Newer Plaid accounts might use the Plaid Link setting: https://plaid.com/docs/link/#introduction-to-link.
Client Secret	Enter the Client Secret The client secret is a secret known only to the application and the authorization server. The client secret acts as the applications password to the server. value provided by the service. Client Secrets commonly use cryptographically-generated values to improve access security.
Environment	Choose which Plaid environment you want to access. Environments include Sandbox, Development, and Production. For more on environments, view the following Plaid documentation: https://plaid.com/docs/api/#api-host.

Custom SOAP Header

The Custom SOAP header adds a header element to a SOAP request.

Setting

Description

SOAP Header

Enter a custom value to include in the header of a SOAP request.

Enable SOAP Digital Signature

A SOAP digital signature is a value computed with a cryptographic algorithm. When that value sends as part of a request, it lets the recipient verify the security and integrity of the incoming data.

To learn how to set up SOAP Digital Signatures, view our Enabling Soap Digital Signatures article in the Doc Hub.

Enable Mutual TLS

When set to Checked Box Icon (checked), it enables mLTS (Mutual Transport Layer Security) certificate selection.

To learn how to add and manage certificates using Certificate Management, view our Certificate Management article in the Doc Hub.

Basic Auth

Basic Auth is the simplest method for creating authentication access in an HTTP Header.

Basic Authentication does not provide encryption or hashing for the transmitted credentials.

Setting

Description

Username

Enter the username used to access the service.

Password

Enter the password used to access the service.

Enable Mutual TLS

When set to Checked Box Icon (checked), it enables mLTS (Mutual Transport Layer Security) certificate selection.

To learn how to add and manage certificates using Certificate Management, view our Certificate Management article in the Doc Hub.

Canada Post

The Canada Post service enables access to the AddressComplete API. This API enables the Address Search component to search for addresses.

To learn more about the Canda Post API, view the following documentation: https://www.canadapost-postescanada.ca/ac/support/api/addresscomplete-interactive-find/.

To learn how to enable the Address Search component using Canada Post, view our Enabling Address Search Using Address Services article in the Doc Hub.

Setting	Description
API Key	Enter the API key provided by the Canada Post service.

Google Places

The Google Places service enables access to requests for location data. This API enables the Address Search component to search for addresses.

To learn more about the Google Places API, view the following documentation: https://developers.google.com/maps/documentation/places/web-service/overview

To earn how enable the Address Search component using Google Places, view our Enabling Address Search Using Address Services article in the Doc Hub.

Setting	Description
API Key	Enter the API key provided by the Google Places service.

OpenID Connect (OIDC)

OIDC is a secure exchange of information between an OpenID Provider (OP) and Unqork. The OP is any SSO Single Sign-On is an authentication scheme that enables users to use one set of login credentials across multiple services. provider, such as Okta, Microsoft Entra ID, or Amazon Cognito.

To learn more about OpenID Connect, view the following documentation: https://openid.net/developers/how-connect-works/

To learn more about OIDC in Unqork, visit our OpenID Connect (OIDC) article in the Doc Hub.

Setting

Description

Enable Mutual TLS

When set to Checked Box Icon (checked), it enables mLTS (Mutual Transport Layer Security) certificate selection.

To learn how to add and manage certificates using Certificate Management, view our Certificate Management article in the Doc Hub.

Hyperscience

The Hyperscience API provides access to the Hyperscience SaaS platform for automating document classification, identification, and extraction.

To learn more about the Hyperscience API, view the following documentation: https://docs.hyperscience.com/#getting-started-guide.

Setting

Description

API Key

Enter the API key provided by the Hyperscience service.

Enable Mutual TLS

When set to Checked Box Icon (checked), it enables mLTS (Mutual Transport Layer Security) certificate selection.

To learn how to add and manage certificates using Certificate Management, view our Certificate Management article in the Doc Hub.

HMAC

Use HMAC is a key-hashed message authentication code used to verify data integrity and authenticity of a data request.

To learn more about HMAC, view the following documentation: https://datatracker.ietf.org/doc/html/rfc2104.

To learn how to set up an HMAC service in Unqork, view our How to: Set Up HMAC (Hashed Key) Authentication article in the Doc Hub.

Setting	Description
HMAC Private Key (Armored)	Enter the Base-64 encoded string HMAC key associated with the service account.

Encryption Service Type Settings

Unqork supports the GNU Privacy Guard (GPG) method for encrypting and decrypting payloads.

Setting	Description
Service Protocol + Host	Enter the endpoint address for the service.
Authentication Method*	Set Encryption (GPG) or Decryption (GPG) as the service type's authentication method.
Encryption (GPG)	Insert the GPG Encryption value. To learn how to setup an encrypted SFTP SFTP (Secure File Transfer Protocol_ supports the transfer of files between an SFTP client and your server. Unlike FTP, it uses tunneling and performs transfers using a crytographic protocol to keep files secure. , view our How to: Set up GPG Encryption for Files article.
GPG Public Key (Armored)	Enter the public key provided by the service that's encrypting the files.
Decryption (GPG)	Insert the GPG Decryption value. To learn how to decrypt a file using GPG Encryption, view our How to: Set up GPG Encryption for Files article.
GPG Private Key (Armored)	Enter the private key provided by the service that's decrypting the files.

FTP Service Type Settings

The File Transfer Protocol service type lets Creators connect their applications to a FTP FTP (File Transfer Protocol) supports the transfer of files between an FTP client and your server. or SFTP SFTP (Secure File Transfer Protocol_ supports the transfer of files between an SFTP client and your server. Unlike FTP, it uses tunneling and performs transfers using a crytographic protocol to keep files secure. server.

Setting	Description
Authentication Method*	Set FTP FTP (File Transfer Protocol) supports the transfer of files between an FTP client and your server. or SFTP SFTP (Secure File Transfer Protocol_ supports the transfer of files between an SFTP client and your server. Unlike FTP, it uses tunneling and performs transfers using a crytographic protocol to keep files secure. as the service type's authentication method. To improve security, use the SFTP method. Only use FTP if no other option is available.
Host	Enter the FTP/SFTP server or host address.
Port (FTP Only)	For FTP connections, enter the port value. Typical FTP ports values are 20 (data port) and 21 (controlled port). SFTP uses port 22 by default.
Username	Enter the username or login value used to access the server.
Password	Enter the password value used to access the server. SFTP connections using SSH keys might not require a password, or they might require both.
SSH Private Key (.pem) (SFTP Only)	Insert the private key in .pem Privacy Enchanced Mail is a popular file format for storing and sending cryptographic keys. format. If the key uses the PuTTY (.ppk) file format, convert it to .pem using a conversion tool.
Private Key Passphrase (SFTP Only)	If your SSH key uses a passphrase, enter it in this field.

FTP Service Type Resources

Understand how SFTP authentication in Unqork works in our SFTP Authentication article.
Improve your SFTP integration with our Best Practices: FTP Integration article.
Use the Marketplace SFTP Upload Integration Template.
Connect your SFTP/FTP service to the File Storage Component.

Resources

External APIs.
Add a new service to the environment.
Using an mTLS Certificate with OAuth 2.0 Authentication.
Generating a PFX Certificate Bundle for mTLS.

Authentication Types

Overview

Authentication Service Type Settings

Service

No Authentication

OAuth2 Client Credentials Grant

OAuth2 Password Grant

OAuth 2 JWT Bearer Grant

OAuth2 JWT Client Credential Grant Extended

Bearer Token

WSSE Username Token Profile

Twilio

Plaid

Custom SOAP Header

Basic Auth

Canada Post

Google Places

OpenID Connect (OIDC)

Hyperscience

HMAC

Encryption Service Type Settings

FTP Service Type Settings

FTP Service Type Resources

Resources

Feedback

Sorry about that

Great!

Looking for more help?