Authentication
Learn how to authenticate with the Futurity API using OAuth 2.0 or API keys.
Authentication Methods
Section titled “Authentication Methods”| Method | Use Case |
|---|---|
| OAuth 2.0 | User-authorized applications |
| API Keys | Server-to-server integrations |
OAuth 2.0
Section titled “OAuth 2.0”Overview
Section titled “Overview”OAuth 2.0 allows your application to act on behalf of a user. Use this for:
- Applications where users log in
- Integrations that need user consent
- Web and mobile applications
Authorization Code Flow
Section titled “Authorization Code Flow”-
Redirect user to authorization
GET https://futurity.work/oauth/authorize?client_id=YOUR_CLIENT_ID&redirect_uri=YOUR_REDIRECT_URI&response_type=code&scope=read write&state=RANDOM_STATE -
User grants permission
User sees a consent screen and approves your app.
-
Receive authorization code
User is redirected to your
redirect_uri:https://your-app.com/callback?code=AUTH_CODE&state=RANDOM_STATE -
Exchange code for tokens
Terminal window POST https://futurity.work/oauth/tokenContent-Type: application/x-www-form-urlencodedgrant_type=authorization_code&code=AUTH_CODE&redirect_uri=YOUR_REDIRECT_URI&client_id=YOUR_CLIENT_ID&client_secret=YOUR_CLIENT_SECRET -
Receive tokens
{"access_token": "eyJ...","token_type": "Bearer","expires_in": 3600,"refresh_token": "eyJ...","scope": "read write"}
Refreshing Tokens
Section titled “Refreshing Tokens”When access tokens expire, use the refresh token:
POST https://futurity.work/oauth/tokenContent-Type: application/x-www-form-urlencoded
grant_type=refresh_token&refresh_token=YOUR_REFRESH_TOKEN&client_id=YOUR_CLIENT_ID&client_secret=YOUR_CLIENT_SECRETResponse:
{ "access_token": "eyJ...", "token_type": "Bearer", "expires_in": 3600, "refresh_token": "eyJ..."}Scopes
Section titled “Scopes”Request only the scopes you need:
| Scope | Access |
|---|---|
read | Read-only access to resources |
write | Create and modify resources |
corint | Access Corint conversations |
vault | Access Vault files |
workflows | Access workflows |
organization | Organization management |
Combine scopes with spaces:
scope=read write vaultToken Lifetimes
Section titled “Token Lifetimes”| Token | Lifetime |
|---|---|
| Access token | 1 hour |
| Refresh token | 30 days |
API Keys
Section titled “API Keys”Overview
Section titled “Overview”API keys are for server-to-server communication where no user interaction is needed. Use for:
- Backend services
- Scheduled jobs
- System integrations
Creating API Keys
Section titled “Creating API Keys”- Go to Settings → API Keys
- Click Create API Key
- Give it a descriptive name
- Select permissions
- Copy the key (shown only once!)
Using API Keys
Section titled “Using API Keys”Include in the Authorization header:
curl -H "Authorization: Bearer YOUR_API_KEY" \ https://api.futurity.work/v1/workflowsAPI Key Permissions
Section titled “API Key Permissions”When creating an API key, select what it can access:
- Full access (all permissions)
- Read-only
- Specific resources (Vault, Workflows, etc.)
Managing API Keys
Section titled “Managing API Keys”| Action | How |
|---|---|
| View keys | Settings → API Keys |
| Revoke key | Click the key → Revoke |
| Rotate key | Revoke and create new |
Using Tokens
Section titled “Using Tokens”Request Header
Section titled “Request Header”All authenticated requests need the Authorization header:
Authorization: Bearer YOUR_TOKENExample Requests
Section titled “Example Requests”Get current user:
curl -H "Authorization: Bearer YOUR_TOKEN" \ https://api.futurity.work/v1/whoamiCreate a workflow:
curl -X POST \ -H "Authorization: Bearer YOUR_TOKEN" \ -H "Content-Type: application/json" \ -d '{"name": "My Workflow"}' \ https://api.futurity.work/v1/workflowsError Handling
Section titled “Error Handling”Invalid Token
Section titled “Invalid Token”{ "error": { "code": "UNAUTHORIZED", "message": "Invalid or expired token" }}Solution: Refresh the token or re-authenticate.
Insufficient Scope
Section titled “Insufficient Scope”{ "error": { "code": "FORBIDDEN", "message": "Token does not have required scope: workflows" }}Solution: Request additional scopes during authorization.
Rate Limited
Section titled “Rate Limited”{ "error": { "code": "RATE_LIMITED", "message": "Too many requests", "retryAfter": 60 }}Solution: Wait and retry with exponential backoff.
Security Best Practices
Section titled “Security Best Practices”- Never expose tokens in client-side code: Use server-side handling
- Store securely: Use environment variables or secrets managers
- Rotate regularly: Especially API keys for production
- Revoke immediately: When compromised or no longer needed
- Use minimum scopes: Only request what you need
- Validate state parameter: Prevent CSRF in OAuth flow
Registering Your Application
Section titled “Registering Your Application”To use OAuth, register your application:
- Go to Settings → Developer
- Click Register Application
- Fill in application details:
- Name
- Description
- Redirect URIs
- Scopes needed
- Receive
client_idandclient_secret
Testing Authentication
Section titled “Testing Authentication”Verify your token works:
curl -H "Authorization: Bearer YOUR_TOKEN" \ https://api.futurity.work/v1/whoamiExpected response:
{ "data": { "id": "user_123", "email": "you@example.com", "name": "Your Name" }}