Authentication

Our authentication is built on OAuth 2.0 and OpenID Connect. We have authentication flows for all the common application types, and in this section we'll be taking a close look at those flows.

Authentication flows are set up by creating authentication clients on your applications's settings page. It's possible to have multiple authentication clients per application.

For most scenarios we recomment using a server client and communicating with our APIs through your own server. While the other flows are limited by the authenticated user's access level, a server client can request necessary permissions when activated on a company.

Server

If your application is a server (e.g an ASP.NET API) you can use a server client for authentication. The flow is certificate based, and your server will be able to act on behalf of companies you've been given access to without human interaction.

You can read more about this flow here.

Traditional web apps

For traditional web apps running on a server we use the Authorization Code Flow defined in OAuth 2. The flow involves using a secret which must be kept secure.

Examples of applications where this flow can be used are ASP.NET Core MVC as well as various javascript meta-frameworks like Next.js.

You can read more about this flow here.

SPA and mobile/native apps

If your application is a public client that cannot securely store secrets we support Authorization Code Flow with PKCE.

The flow builds upon the Authorization Code Flow, with some additional steps that allow us to securely authenticate users without the use of secrets.

Common use cases for this authentication flow are single page apps built with various javascript frameworks as well as mobile or native applications.

You can read more about this flow here.