Skip to main content

Authentication methods

The ION GraphQL API supports two authentication methods: API keys for machine-to-machine integrations and OAuth 2.0 for user-facing applications. Every request uses the same endpoint and Authorization header. Only the way you obtain the token differs.

Endpoint and headers

Every authenticated request targets a single GraphQL endpoint. Include the access token on every request:
POST /graphql HTTP/1.1
Host: api.firstresonance.io
Authorization: Bearer <token>
Content-Type: application/json
ION also accepts Authorization: Token <token> for backward compatibility. Prefer Bearer. For multipart file uploads, set Content-Type: multipart/form-data. Follow the flow in File Upload.

Troubleshooting

When ION rejects a request during authentication, the response carries an errors[].message payload:
{
  "errors": [{ "message": "Token is expired." }]
}
For the full list of authentication failures and their fixes (401 Unauthorized, 403 Forbidden, rate limits, and 5xx errors), see Error codes.