Authentication Types

Authentication types provide service authentication for securely connecting to external services from the Unqork Designer Platform. Service authentication manages the credentials for authentication and allows access to external APIs in your application.

Discover more service settings in our Services Administration article, or, learn how to add a service to the environment in our Administration Services - How to: Add a Service article.

Authentication Settings

Click on the tabs below to learn more about authentication for services, encryption, and FTP:

Authentication

Encryption

FTP

Authentication Service Type Settings

Creators can set up access to dozens of services using the Authentication Service Type. Refer to each service's API access documentation to see which authentication method they use, and what keys must be obtained to access.

Client Secrets, passwords, and other service information are encrypted and stored in the local database.

Using the menu below, select a service to discover its settings:

No Authentication

No Authentication provides support for SOAP Digital Signatures.

To learn how to set up SOAP Digital Signatures, view our Enabling Soap Digital Signatures article in the Doc Hub.

OAuth2 Client Credentials Grant

Use the OAuth2 Client Credentials grant when applications request an access token to access their own resources.

To learn more about the OAuth 2.0 Client Credentials Grant, view the following documentation: https://www.oauth.com/oauth2-servers/access-tokens/client-credentials/.

Setting	Description
Access Token URL	Enter the URL that provides the OAuth Access Token. For example, `https://account-d.docusign.com/oauth/token`.
Client ID	Enter the Client ID provided by the service. Here's an example of a Client ID from Okta: `0oa2hl2inow5Uqc6c357.`
Client Secret	Enter the Client Secret value provided by the service. Client Secrets commonly use cryptographically-generated values to improve access security.
Scope	Enter the access Scope value. Available scopes are dependent on the service. For example, Slack provides the following scopes: `read`, `write`, and `history`.
Send Client ID/Secret in Body Instead of Header	When set to (checked), it sends the Client ID and Client Secret values in the body of an HTTP request.
Perform Authentication Only	If authentication is valid, the token is sent back immediately.
Enable Token Persistence	When making requests, tokens are valid until their expiration time. At expiration, the token is no longer stored in Unqork's persisted storage. Requests after the expiration time no longer have an active token, and the service will attempt to retrieve a new one. If successful, the request continues and stores the new token. When set to (checked), this setting minimizes the number of additional authentication requests made and the number of tokens to maintain. It does not determine whether your requests are successful or not.
Refresh Token	When setting Enable Token Persistence to (checked), the Refresh Token button displays. Click this button when an issue occurs with the connected service or when your token is revoked. Clicking this button refreshes the token so you can continue to make requests.
Enable Mutual TLS	When set to (checked), it enables the mLTS (Mutual Transport Layer Security) certificate selection. To learn how to add and manage certificates using Certificate Management, view our Certificate Management article in the Doc Hub.

OAuth2 Password Grant

The OAuth 2.0 Password Grant exchange's the user's username and password for an access token.

To learn more about the OAuth 2.0 Password Grant, view the following documentation: https://www.oauth.com/oauth2-servers/access-tokens/password-grant/.

Setting	Description
Access Token URL	Enter the URL that provides the OAuth Access Token. For example, `https://account-d.docusign.com/oauth/token`.
Client ID	Enter the Client ID provided by the service. Here's an example of a Client ID from Okta: `0oa2hl2inow5Uqc6c357`.
Client Secret	Enter the Client Secret value provided by the service. Client Secrets commonly use cryptographically-generated values to improve access security.
Scope	Enter the access Scope value. Available scopes are dependent on the service. For example, Slack provides the following scopes: `read`, `write`, and `history.`
Send Client ID/Secret in Body Instead of Header	When set to (checked), it sends the Client ID and Client Secret values in the body of an HTTP request.
Send authentication body as 'application/json' instead of 'application/x-www-form-urlencoded' (uncommon)	When set to (checked), encodes the authentication body as JSON.
Username	Enter the username used to access the service.
Password	Enter the password used to access the service.
Perform Authentication Only	If authentication is valid, the token is sent back immediately.
Enable Mutual TLS	When set to (checked), it enables the mLTS (Mutual Transport Layer Security) certificate selection. To learn how to add and manage certificates using Certificate Management, view our Certificate Management article in the Doc Hub.

OAuth 2 JWT Bearer Grant

The OAuth 2.0 Bearer Grant uses a JSON Web Token to carry additional information in the payload.

To learn more about the OAuth 2 JWT Bearer Format, view the following documentation: https://datatracker.ietf.org/doc/html/rfc7523.

Setting	Description
Access Token URL	Enter the URL that provides the OAuth Access Token. For example, `https://account-d.docusign.com/oauth/token.`
Issuer (Client ID)	Enter the Client ID provided by the service. Here's an example of a Client ID from `Okta: 0oa2hl2inow5Uqc6c357.`
Subject	Enter the principal of the JWT; this is usually the user ID.
Audience	The audience parameter is a list of case-sensitive URLs that cannot contain whitespaces. For example, `["https://api.my-cloud.com/user", "https://some-tenant.my-cloud.com/"]`.
Scope(s) to access	Enter the access Scope value. Available scopes are dependent on the service. For example, Slack provides the following scopes: `read, write, and history`.
Token Expires in (seconds)	Set the amount of time before the access token expires, in seconds. For example, to make a token expire in 90 minutes, enter 5400. (There are 5,400 seconds in 90 minutes.) Default token expiration is 60 minutes.
Signing Algorithm	Specify an algorithm. he most common signing algorithms for JWTs are HS256 (HMAC using SHA256) and RS256 (RSA using SHA256). For more information on signing algorithm, view this link: https://www.npmjs.com/package/jsonwebtoken#algorithms-supported.
Shared/Private Key	Enter the key used to access the service.
Perform Authentication Only	If authentication is valid, the token is sent back immediately.
Enable Mutual TLS	When set to (checked), it enables the mLTS (Mutual Transport Layer Security) certificate selection. To learn how to add and manage certificates using Certificate Management, view our Certificate Management article in the Doc Hub.

OAuth2 JWT Client Credential Grant Extended

The OAuth 2.0 Client Credential grant uses a JSON Web Token to carry additional information in the payload.

Setting	Description
Access Token URL	Enter the URL that provides the JWT Access Token. For example, `https://account-d.docusign.com/oauth/token.`
Client ID	Enter the Client ID provided by the service. Here's an example of a Client ID from Okta: `0oa2hl2inow5Uqc6c357.`
Module ID	The module ID associated with this service.
Secret key for user authorization JWT signing	Enter the key used to authorize the JSON Web Token signing.
Encryption key for user authorization header	Enter the encryption key value used to authorize the user.
Certificate Pem	The certificate containing the Private Key.
Private Key Pem	The key contained in the certificate.
Enable Mutual TLS	When set to (checked), it enables the mLTS (Mutual Transport Layer Security) certificate selection. To learn how to add and manage certificates using Certificate Management, view our Certificate Management article in the Doc Hub.

Bearer Token

Bearer authentication uses security tokens called bearer tokens. Bearer tokens are cryptic strings generated by the server in response to a login request.

Setting	Description
Bearer Token	Enter the bearer token value provided by the external service.
Enable Mutual TLS	When set to (checked), it enables the mLTS (Mutual Transport Layer Security) certificate selection. To learn how to add and manage certificates using Certificate Management, view our Certificate Management article in the Doc Hub.

Setting

Description

Bearer Token

Enter the bearer token value provided by the external service.

Enable Mutual TLS

When set to (checked), it enables the mLTS (Mutual Transport Layer Security) certificate selection.

To learn how to add and manage certificates using Certificate Management, view our Certificate Management article in the Doc Hub.

WSSE Username Token Profile

A Web Services Security Extension is an extension of SOAP to apply security to Web services. It is a member of the Web service specifications and is published by OASIS.

To learn more about the WSSE Username Token Profile format, view the following documentation: https://docs.oasis-open.org/wss/v1.1/wss-v1.1-spec-pr-UsernameTokenProfile-01.htm.

Setting	Description
Username	Enter the username used to access the service.
Password	Enter the password used to access the service.
Enable SOAP Digital Signature	A SOAP digital signature is a value computed with a cryptographic algorithm. When that value is sent as part of a request, it lets the recipient verify the security and integrity of the incoming data. To learn how to set up SOAP Digital Signatures, view our Enabling Soap Digital Signatures article in the Doc Hub.

Setting

Description

Username

Enter the username used to access the service.

Password

Enter the password used to access the service.

Enable SOAP Digital Signature

A SOAP digital signature is a value computed with a cryptographic algorithm. When that value is sent as part of a request, it lets the recipient verify the security and integrity of the incoming data.

To learn how to set up SOAP Digital Signatures, view our Enabling Soap Digital Signatures article in the Doc Hub.

Twilio

The Twilio REST API allows you to query metadata about your account and send text messages.

To learn more about the Twilio API, view the following documentation: https://www.twilio.com/docs/iam/api-keys.

Setting	Description
Account SID	Enter the 34-digit String Identifier (SID) key provided by the Twilio resource.
Auth Token	Enter the URL that provides the OAuth Access Token. For example, `https://account-d.docusign.com/oauth/token`.
Number	Enter the phone number assigned by Twilio to send text messages.
Express Domain	Enter the express domain assigned by Twilio.

Plaid

The Plaid service enables access to Plaid's technology data transfer platform for financial products.

To learn more about the Plaid API, view the following the documentation: https://plaid.com/docs/api/.

Setting	Description
Client ID	Enter the Client ID provided by the service. Here's an example of a Client ID from Okta: `0oa2hl2inow5Uqc6c357`.
Public Key	Enter the static `public_key` provided by Plaid. Newer Plaid accounts might use the Plaid Link setting: https://plaid.com/docs/link/#introduction-to-link.
Client Secret	Enter the Client Secret value provided by the service. Client Secrets commonly use cryptographically-generated values to improve access security.
Environment	Choose which Plaid environment you want to access. Environments include Sandbox, Development, and Production. For more on environments, view the following Plaid documentation: https://plaid.com/docs/api/#api-host

Custom SOAP Header

The Custom SOAP header adds a header element to a SOAP request.

Setting	Description
SOAP Header	Enter a custom value to include in the header of a SOAP request.
Enable SOAP Digital Signature	A SOAP digital signature is a value computed with a cryptographic algorithm. When that value is sent as part of a request, it lets the recipient verify the security and integrity of the incoming data. To learn how to set up SOAP Digital Signatures, view our Enabling Soap Digital Signatures article in the Doc Hub.
Enable Mutual TLS	When set to (checked), it enables the mLTS (Mutual Transport Layer Security) certificate selection. To learn how to add and manage certificates using Certificate Management, view our Certificate Management article in the Doc Hub

Setting

Description

SOAP Header

Enter a custom value to include in the header of a SOAP request.

Enable SOAP Digital Signature

To learn how to set up SOAP Digital Signatures, view our Enabling Soap Digital Signatures article in the Doc Hub.

Enable Mutual TLS

When set to (checked), it enables the mLTS (Mutual Transport Layer Security) certificate selection.

To learn how to add and manage certificates using Certificate Management, view our Certificate Management article in the Doc Hub

Basic Auth

Basic Auth is the simplest method for creating authentication access in an HTTP Header.

Basic Authentication does not provide encryption or hashing for the transmitted credentials.

Setting	Description
Username	Enter the username used to access the service.
Password	Enter the password used to access the service.
Enable Mutual TLS	When set to (checked), it enables the mLTS (Mutual Transport Layer Security) certificate selection. To learn how to add and manage certificates using Certificate Management, view our Certificate Management article in the Doc Hub

Setting

Description

Username

Enter the username used to access the service.

Password

Enter the password used to access the service.

Enable Mutual TLS

When set to (checked), it enables the mLTS (Mutual Transport Layer Security) certificate selection.

To learn how to add and manage certificates using Certificate Management, view our Certificate Management article in the Doc Hub

Canada Post

The Canada Post service enables access to the AddressComplete API. This API enables the Address Search component to search for addresses.

To learn more about the Canda Post API, view the following documentation: https://www.canadapost-postescanada.ca/ac/support/api/addresscomplete-interactive-find/.

To learn how to enable the Address Search component using Canada Post, view our Enabling Address Search Using Address Services article in the Doc Hub.

Setting	Description
API Key	Enter the API key provided by the Canada Post service.

Google Places

The Google Places service enables access to requests for location data. This API enables the Address Search component to search for addresses.

To learn more about the Google Places API, view the following documentation: https://developers.google.com/maps/documentation/places/web-service/overview.

To learn how to enable the Address Search component using Canada Post, view our Enabling Address Search Using Address Services article in the Doc Hub.

Setting	Description
API Key	Enter the API key provided by the Google Places service.

Amazon S3

Authenticate with an Amazon S3 bucket using an Access Key ID and Secret Access Key. You’ll also set up the required Amazon S3 region.

To learn more about the Amazon S3 service, view the following documentation: https://docs.aws.amazon.com/AmazonS3/latest/userguide/GetStartedWithS3.html.

Setting	Description
Access Key ID	Amazon’s Access Key ID is public and can be shared. But it can be used with the Secret Access Key to configure authentication.
Secret Access Key	Use your Amazon S3 bucket’s Secret Access Key in association with the Access Key ID to authenticate your bucket.
Region	The supported region of your Amazon S3 bucket. To learn more about supported Amazon regions, view the following link: Regional and Zonal endpoints for directory buckets - Amazon Simple Storage Service.

Setting

Description

Access Key ID

Amazon’s Access Key ID is public and can be shared. But it can be used with the Secret Access Key to configure authentication.

Secret Access Key

Use your Amazon S3 bucket’s Secret Access Key in association with the Access Key ID to authenticate your bucket.

Region

The supported region of your Amazon S3 bucket.

To learn more about supported Amazon regions, view the following link: Regional and Zonal endpoints for directory buckets - Amazon Simple Storage Service.

Azure Blob Storage

Authenticate with Azure Blob Storage using your connection string(s).

To learn more about the Google Places API, view the following documentation: https://developers.google.com/maps/documentation/places/web-service/overview.

Setting	Description
Connection String	Use your Azure connection string, found in your Azure Portal, to authenticate with Azure Blob Storage.

OpenID Connect (OIDC)

OIDC is a secure exchange of information between an OpenID Provider (OP) and Unqork. The OP is any SSO provider, such as Okta, Microsoft Entra ID, or Amazon Cognito.

To learn more about OpenID Connect, view the following documentation: https://openid.net/developers/how-connect-works/.

To learn more about OIDC in Unqork, visit our OpenID Connect (OIDC) article in the Doc Hub.

Setting	Description
Enable Mutual TLS	When set to (checked), it enables the mLTS (Mutual Transport Layer Security) certificate selection. To learn how to add and manage certificates using Certificate Management, view our Certificate Management article in the Doc Hub

Setting

Description

Enable Mutual TLS

When set to (checked), it enables the mLTS (Mutual Transport Layer Security) certificate selection.

To learn how to add and manage certificates using Certificate Management, view our Certificate Management article in the Doc Hub

Hyperscience

The Hyperscience API provides access to the Hyperscience SaaS platform for automating document classification, identification, and extraction.

To learn more about the Hyperscience API, view the following documentation: https://docs.hyperscience.com/#getting-started-guide.

Setting	Description
API Key	Enter the API key provided by the Hyperscience service.
Enable Mutual TLS	When set to (checked), it enables the mLTS (Mutual Transport Layer Security) certificate selection. To learn how to add and manage certificates using Certificate Management, view our Certificate Management article in the Doc Hub

Setting

Description

API Key

Enter the API key provided by the Hyperscience service.

Enable Mutual TLS

When set to (checked), it enables the mLTS (Mutual Transport Layer Security) certificate selection.

To learn how to add and manage certificates using Certificate Management, view our Certificate Management article in the Doc Hub

HMAC

HMAC is a key-hashed message authentication code used to verify data integrity and authenticity of a data request.

To learn more about HMAC, view the following documentation: https://datatracker.ietf.org/doc/html/rfc2104.

To learn how to set up an HMAC service in Unqork, view our How to: Set Up HMAC (Hashed Key) Authentication article in the Doc Hub.

Setting	Description
HMAC Private Key (Armored)	Enter the Base-64 encoded string HMAC key associated with the service account.

Encryption Service Type Settings

Unqork supports the GNU Privacy Guard (GPG) method for encrypting and decrypting payloads.

Setting	Description
Service Protocol + Host	Enter the endpoint address for the service.
Authentication Method*	Set Encryption (GPG) or Decryption (GPG) as the service type's authentication method.
Encryption (GPG)	Insert the GPG Encryption value. To learn how to setup an encrypted SFTP , view our How to: Set up GPG Encryption for Files article.
GPG Public Key (Armored)	Enter the public key provided by the service that's encrypting the files.
Decryption (GPG)	Insert the GPG Decryption value. To learn how to decrypt a file using GPG Encryption, view our How to: Set up GPG Encryption for Files article.
GPG Private Key (Armored)	Enter the private key provided by the service that's decrypting the files.

FTP Service Type Settings

The File Transfer Protocol service type lets Creators connect their applications to a FTP or SFTP server.

Setting	Description
Authentication Method*	Set FTP or SFTP as the service type's authentication method. To improve security, use the SFTP method. Only use FTP if no other option is available.
Host	Enter the FTP/SFTP server or host address.
Port (FTP Only)	For FTP connections, enter the port value. Typical FTP ports values are `20` (data port) and `21` (controlled port). SFTP uses port `22` by default.
Username	Enter the username or login value used to access the server.
Password	Enter the password value used to access the server. SFTP connections using SSH keys might not require a password, or they might require both.
SSH Private Key (.pem) (SFTP Only)	Insert the private key in .pem format. If the key uses the PuTTY (.`ppk`) file format, convert it to .`pem` using a conversion tool.
Private Key Passphrase (SFTP Only)	If your SSH key uses a passphrase, enter it in this field.

FTP Service Type Resources