This guide covers authentication for use with the Corti API. If you are looking for authenticating users with Corti Assistant Embedded, then see more here.
Authenticating with Corti Auth
Corti uses OAuth 2.0 client credentials for server-to-server authentication. This flow requires that you fetch a short-lived access token based on aclient_id and client_secret from the Corti Auth Server before calling the API.
Note that both the client secret and the access tokens generated have full access to the API. They should never be shared or exposed to the client. For best practices on keeping your credentials secure, read our guide.
Fetching an Access Token with OAuth 2.0 client-credentials
Response
Using the access token in API requests
Once you have an access token, include it in the Authorization header. You must also provide the Tenant-Name header to specify which tenant context the request operates in.Why we use client credentials instead of an API key
API keys are simple, but they are static. If one leaks, whoever has it can call your APIs until you rotate it. Client credentials solve this by issuing short-lived tokens that expire automatically, which limits the blast radius of a leak and improves auditability. Key differences:- API keys are long-lived, client credentials produce short-lived tokens (5 minutes).
- API keys cannot express scopes or granular permissions, OAuth tokens can.
- OAuth flows integrate with identity providers and tenancy models, which makes them safer and easier to govern in enterprise environments.