The Services Administration page enables users to create, view, edit, and delete external API or authentication services. Examples of external services include Google Places API, Twilio API, OAuth2 Authentication Grants, and GPG Encryption/Decryption.
WSRBAC (workspace role-based access control) controls access to functions of Services Administration page. For more information on what roles can access and edit Services Administration data, view the Creator Role Administration article.
To learn how to add a service to the environment, view our Administration Services - How to: Add a Service article.
Navigating to a Service
After creating a service, Creators can access the service's management page to edit service info, workspace access, service type, and more.
To access and edit a service from the Services Administration page:
In the Services Administration list, navigate to the service you want to view or edit.
In the Actions column, click Manage.
Select Open. The service page displays.
At the top right of the page, click
.png)
Edit.
Service Settings
Service Info
The Service Info section lets you name the service and choose whether it's only available for server-side execution.
Setting | Description |
|---|---|
Service Title* | Enter the name of the service. A descriptive title helps other Creators understand the service. *This field is required. |
Service Name* | The permanent system-name for the service. This value is for reference and cannot be changed. |
Allow Service Execution Server Side Only | Set to
|
.png){kind=small}
.png){kind=small}
Manage Access
The Manage Access section controls whether the environment or specific workspaces can use the service.
Setting | Description |
|---|---|
Share to | Grant service access to the environment, or select one or more workspaces where you want to share the service.
|
Service Type
Use the Service Type section to set up the service connection.
Setting | Description |
|---|---|
Service Type | Specify the type of service you want to connect to. The service type controls what settings are available for the authentication method. Service types include:
|
Service Protocol + Host | Enter the service's endpoint to connect to Unqork. For example, |
Authentication Method* | The Authentication Method depends on the selected Service Type. |
Service Types
Unqork offers three service types: Authentication, Encryption, and FTP.
To learn how to set up external APIs in detail, visit our How to: Setup External APIs article.
Authentication Service Type Settings
Creators can set up access to dozens of services using the Authentication Service Type. Refer to each service's API access documentation to see which authentication method they use, and what keys must be obtained to access.
Client Secrets, passwords, and other service information are encrypted and stored in the local database.
Using the menu below, select a service to discover its settings:
No Authentication
No Authentication provides support for SOAP Digital Signatures.
To learn how to set up SOAP Digital Signatures, view our Enabling Soap Digital Signatures article in the Doc Hub.
OAuth2 Client Credentials Grant
Use the OAuth2 Client Credentials grant when applications request an access token to access their own resources.
To learn more about the OAuth 2.0 Client Credentials Grant, view the following documentation: https://www.oauth.com/oauth2-servers/access-tokens/client-credentials/.
Setting | Description |
|---|---|
Access Token URL | Enter the URL that provides the OAuth Access Token. For example, |
Client ID | Enter the Client ID provided by the service. Here's an example of a Client ID from Okta: |
Client Secret | Enter the Client Secret value provided by the service. Client Secrets commonly use cryptographically-generated values to improve access security. |
Scope | Enter the access Scope value. Available scopes are dependent on the service. For example, Slack provides the following scopes: |
Send Client ID/Secret in Body Instead of Header | When set to |
Perform Authentication Only | If authentication is valid, the token is sent back immediately. |
Enable Token Persistence | When making requests, tokens are valid until their expiration time. At expiration, the token is no longer stored in Unqork's persisted storage. Requests after the expiration time no longer have an active token, and the service will attempt to retrieve a new one. If successful, the request continues and stores the new token. When set to |
Refresh Token | When setting Enable Token Persistence to |
Enable Mutual TLS | When set to
|
.png)
OAuth2 Password Grant
The OAuth 2.0 Password Grant exchange's the user's username and password for an access token.
To learn more about the OAuth 2.0 Password Grant, view the following documentation: https://www.oauth.com/oauth2-servers/access-tokens/password-grant/.
Setting | Description |
|---|---|
Access Token URL | Enter the URL that provides the OAuth Access Token. For example, |
Client ID | Enter the Client ID provided by the service. Here's an example of a Client ID from Okta: |
Client Secret | Enter the Client Secret value provided by the service. Client Secrets commonly use cryptographically-generated values to improve access security. |
Scope | Enter the access Scope value. Available scopes are dependent on the service. For example, Slack provides the following scopes: |
Send Client ID/Secret in Body Instead of Header | When set to |
Send authentication body as 'application/json' instead of 'application/x-www-form-urlencoded' (uncommon) | When set to |
Username | Enter the username used to access the service. |
Password | Enter the password used to access the service. |
Perform Authentication Only | If authentication is valid, the token is sent back immediately. |
Enable Mutual TLS | When set to
|
OAuth 2 JWT Bearer Grant
The OAuth 2.0 Bearer Grant uses a JSON Web Token to carry additional information in the payload.
To learn more about the OAuth 2 JWT Bearer Format, view the following documentation: https://datatracker.ietf.org/doc/html/rfc7523.
Setting | Description |
|---|---|
Access Token URL | Enter the URL that provides the OAuth Access Token. For example, |
Issuer (Client ID) | Enter the Client ID provided by the service. Here's an example of a Client ID from |
Subject | Enter the principal of the JWT; this is typically the user ID. |
Audience | The audience parameter is a list of case-sensitive URLs that cannot contain whitespaces. For example, |
Scope(s) to access | Enter the access Scope value. Available scopes are dependent on the service. For example, Slack provides the following scopes: |
Token Expires in (seconds) | Set the amount of time before the access token expires, in seconds. For example, to make a token expire in 90 minutes, enter 5400. (There are 5,400 seconds in 90 minutes.) Default token expiration is 60 minutes. |
Signing Algorithm | Specify an algorithm. he most common signing algorithms for JWTs are HS256 (HMAC using SHA256) and RS256 (RSA using SHA256).
|
Shared/Private Key | Enter the key used to access the service. |
Perform Authentication Only | If authentication is valid, the token is sent back immediately. |
Enable Mutual TLS | When set to
|
OAuth2 JWT Client Credential Grant Extended
The OAuth 2.0 Client Credential grant uses a JSON Web Token to carry additional information in the payload.
Setting | Description |
|---|---|
Access Token URL | Enter the URL that provides the JWT Access Token. For example, |
Client ID | Enter the Client ID provided by the service. Here's an example of a Client ID from Okta: |
Module ID | The module ID associated with this service. |
Secret key for user authorization JWT signing | Enter the key used to authorize the JSON Web Token signing. |
Encryption key for user authorization header | Enter the encryption key value used to authorize the user. |
Certificate Pem | The certificate containing the Private Key. |
Private Key Pem | The key contained in the certificate. |
Enable Mutual TLS | When set to
|
Bearer Token
Bearer authentication uses security tokens called bearer tokens. Bearer tokens are cryptic strings generated by the server in response to a login request.
Setting | Description |
|---|---|
Bearer Token | Enter the bearer token value provided by the external service. |
Enable Mutual TLS | When set to
|
WSSE Username Token Profile
A Web Services Security Extension is an extension of SOAP to apply security to Web services. It is a member of the Web service specifications and published by OASIS.
To learn more about the WSSE Username Token Profile format, view the following documentation: https://docs.oasis-open.org/wss/v1.1/wss-v1.1-spec-pr-UsernameTokenProfile-01.htm.
Setting | Description |
|---|---|
Username | Enter the username used to access the service. |
Password | Enter the password used to access the service. |
Enable SOAP Digital Signature | A SOAP digital signature is a value computed with a cryptographic algorithm. When that value is sent as part of a request, it lets the recipient verify the security and integrity of the incoming data.
|
Twilio
The Twilio REST API allows you to query metadata about your account and send text messages.
To learn more about the Twilio API, view the following documentation: https://www.twilio.com/docs/iam/api-keys.
Setting | Description |
|---|---|
Account SID | Enter the 34-digit String Identifier (SID) key provided by the Twilio resource. |
Auth Token | Enter the URL that provides the OAuth Access Token. For example, |
Number | Enter the phone number assigned by Twilio to send text messages. |
Express Domain | Enter the express domain assigned by Twilio. |
Plaid
The Plaid service enables access to Plaid's technology data transfer platform for financial products.
To learn more about the Plaid API, view the following the documentation: https://plaid.com/docs/api/.
Setting | Description |
|---|---|
Client ID | Enter the Client ID provided by the service. Here's an example of a Client ID from Okta: |
Public Key | Enter the static
|
Client Secret | Enter the Client Secret value provided by the service. Client Secrets commonly use cryptographically-generated values to improve access security. |
Environment | Choose which Plaid environment you want to access. Environments include Sandbox, Development, and Production.
|
Custom SOAP Header
The Custom SOAP header adds a header element to a SOAP request.
Setting | Description |
|---|---|
SOAP Header | Enter a custom value to include in the header of a SOAP request. |
Enable SOAP Digital Signature | A SOAP digital signature is a value computed with a cryptographic algorithm. When that value is sent as part of a request, it lets the recipient verify the security and integrity of the incoming data.
|
Enable Mutual TLS | When set to
|
Basic Auth
Basic Auth is the simplest method for creating authentication access in an HTTP Header.
Basic Authentication does not provide encryption or hashing for the transmitted credentials.
Setting | Description |
|---|---|
Username | Enter the username used to access the service. |
Password | Enter the password used to access the service. |
Enable Mutual TLS | When set to
|
Canada Post
The Canada Post service enables access to the AddressComplete API. This API enables the Address Search component to search for addresses.
To learn more about the Canda Post API, view the following documentation: https://www.canadapost-postescanada.ca/ac/support/api/addresscomplete-interactive-find/.
To learn how to enable the Address Search component using Canada Post, view our Enabling Address Search Using Address Services article in the Doc Hub.
Setting | Description |
|---|---|
API Key | Enter the API key provided by the Canada Post service. |
Google Places
The Google Places service enables access to requests for location data. This API enables the Address Search component to search for addresses.
To learn more about the Google Places API, view the following documentation: https://developers.google.com/maps/documentation/places/web-service/overview.
To learn how to enable the Address Search component using Canada Post, view our Enabling Address Search Using Address Services article in the Doc Hub.
Setting | Description |
|---|---|
API Key | Enter the API key provided by the Google Places service. |
Amazon S3
Authenticate with an Amazon S3 bucket using an Access Key ID and Secret Access Key. You’ll also set up the required Amazon S3 region.
To learn more about the Amazon S3 service, view the following documentation: https://docs.aws.amazon.com/AmazonS3/latest/userguide/GetStartedWithS3.html.
Setting | Description |
|---|---|
Access Key ID | Amazon’s Access Key ID is public and can be shared. It can be used with the Secret Access Key to configure authentication. |
Secret Access Key | Use your Amazon S3 bucket’s Secret Access Key in association with the Access Key ID to authenticate your bucket. |
Region | The supported region of your Amazon S3 bucket.
|
Azure Blob Storage
Authenticate with Azure Blob Storage using your connection string(s).
To learn more about the Google Places API, view the following documentation: https://developers.google.com/maps/documentation/places/web-service/overview.
Setting | Description |
|---|---|
Connection String | Use your Azure connection string, found in your Azure Portal, to authenticate with Azure Blob Storage. |
OpenID Connect (OIDC)
OIDC is a secure exchange of information between an OpenID Provider (OP) and Unqork. The OP is any SSO provider, such as Okta, Microsoft Entra ID, or Amazon Cognito.
To learn more about OpenID Connect, view the following documentation: https://openid.net/developers/how-connect-works/.
To learn more about OIDC in Unqork, visit our OpenID Connect (OIDC) article in the Doc Hub.
Setting | Description |
|---|---|
Enable Mutual TLS | When set to (checked), it enables the mLTS (Mutual Transport Layer Security) certificate selection.
|
Hyperscience
The Hyperscience API provides access to the Hyperscience SaaS platform for automating document classification, identification, and extraction.
To learn more about the Hyperscience API, view the following documentation: https://docs.hyperscience.com/#getting-started-guide.
Setting | Description |
|---|---|
API Key | Enter the API key provided by the Hyperscience service. |
Enable Mutual TLS | When set to
|
HMAC
HMAC is a key-hashed message authentication code used to verify data integrity and authenticity of a data request.
To learn more about HMAC, view the following documentation: https://datatracker.ietf.org/doc/html/rfc2104.
To learn how to set up an HMAC service in Unqork, view our How to: Set Up HMAC (Hashed Key) Authentication article in the Doc Hub.
Setting | Description |
|---|---|
HMAC Private Key (Armored) | Enter the Base-64 encoded string HMAC key associated with the service account. |
Encryption Service Type Settings
Unqork supports the GNU Privacy Guard (GPG) method for encrypting and decrypting payloads.
.jpg)
Setting | Description |
|---|---|
Service Protocol + Host | Enter the endpoint address for the service. |
Authentication Method* | Set Encryption (GPG) or Decryption (GPG) as the service type's authentication method. |
Encryption (GPG) | Insert the GPG Encryption value.
|
GPG Public Key (Armored) | Enter the public key provided by the service that's encrypting the files. |
Decryption (GPG) | Insert the GPG Decryption value.
|
GPG Private Key (Armored) | Enter the private key provided by the service that's decrypting the files. |
FTP Service Type Settings
The File Transfer Protocol service type lets Creators connect their applications to an FTP or SFTP server.
.jpg)
Setting | Description |
|---|---|
Authentication Method* | Set FTP or SFTP as the service type's authentication method.
|
Host | Enter the FTP/SFTP server or host address. |
Port (FTP Only) | For FTP connections, enter the port value. Typical FTP port values are
|
Username | Enter the username or login value used to access the server. |
Password | Enter the password value used to access the server.
|
SSH Private Key (.pem) (SFTP Only) | Insert the private key in pem format.
|
Private Key Passphrase (SFTP Only) | If your SSH key uses a passphrase, enter it in this field. |
FTP Service Type Resources
Request & Response
The Request and Response settings provide request headers, body, and response headers. Use these headers and body to provide required or additional information in the HTTP request made to the service. Values in these fields are sent with every request.
Request Headers
Request headers provide context about an HTTP request. They help define caching, authentication, and session state.
Request Body
Use the request body for create and update operations (POST, PUT, PATCH). The request body contains the resources to be created or updated.
Services might use the Request Body field in a GET request to define the data retrieved from a service.
Allowed Response Headers
Specify what header names will return in the HTTP response.
Logging
Logging service requests provides Creators with additional information on when and how a service is used.
To access and understand service logs, view our Understanding Service Logs article in the Doc Hub.
Setting | Description |
|---|---|
Capture Request and Response Bodies | Set to (checked) to enable logging for this service. |
Retention Days (defaults to 30 days) | Enter a value to retain services for longer or less than 30 days. |
PagerDuty Service Key (for optional alerting) | Enter a service key to integrate service logs with PagerDuty.
|