Authentication information is required to use the API. There are two types of authentication information: API keys and access tokens.
The authentication methods that can be used are as follows

Table 1. Authentication type
Type Contents Authentication information Expiration

API Key Authentication

An authentication method that grants API usage based on a key.

API key

No Expiration

OAuth 2.0

An authentication method based on OAuth 2.0 (RFC 6749) that grants permission to use an API by means of an access token issued based on Client ID and Client Secret.

Access token

one hour from issuance

OAuth Authentication (conventional method)

Provides a token-based authentication method, which has been provided in the past, to maintain I/F compatibility.
Client ID, Client Secret and internal operations are shared with OAuth 2.0 to ensure security.
This authentication method is provided to maintain compatibility with conventional I/F, and the use of OAuth 2.0 is recommended.

Access token

one hour from issuance

API Usage

When using API Key Authentication

  1. Create a new API key on the API key authentication information creation screen of the portal site.
    Select a group from "Group List" to display "Group Information" and click [Create] on "API Key Information" of "Authentication Information" tab of "Group Information" .

    API Keys
  2. Specify an API key and then use the API for each service.
    The API key is specified in the HTTP header as follows.
    'X-Api-Key: <API Key> '

Note: Using Primary Key and Secondary Key

Although the expiration of API keys is infinite, you may need to regenerate the API keys that your application uses for security reasons (Key misuse, etc.). If only one API key is used, the application will fail authentication when the key is regenerated and processing will not continue. The application can then continue to execute the API by retrying with a valid key (Secondary keys, etc.).

When using OAuth 2.0

  1. Create new Client ID and Client Secret on the OAuth authentication information creation screen of the portal site.
    Select a group from "Group List" to display "Group Information" and click [Create] on "OAuth Information" of "Authentication Information" tab of "Group Information" .

    OAuth 2.0
  2. Issue an access token using the Client ID and Client Secret key.
    Issue it using API Authentication API Reference.
    How to issue an access token is as follows

    1. Click on the lock icon in the upper right corner.

      POST_v2_tokens
    2. Enter the Client ID in the Username field and the Client Secret in the Password field, then click [Authorize].

      POST_v2_tokens
    3. Click [Close].

      POST_v2_tokens
    4. Click [Try it out] in /v2/tokens(POST) API.

      POST_v2_tokens
    5. Click [Execute].

      POST_v2_tokens
    6. The "access_token" is reported to the Response body.

      POST_v2_tokens
  3. Specify an Access Token and then use the API for each service.
    The Access Token is specified in the HTTP header as follows.
    'X-Access-Token: <Access Token> '

Note: How to update the Access Token.

If the access token expires, follow the same procedure to reissue one.

When using OAuth Authentication (conventional method)

  1. Create new Client ID and Client Secret on the OAuth authentication information creation screen of the portal site.
    Select a group from "Group List" to display "Group Information" and click [Create] on "OAuth Information" of "Authentication Information" tab of "Group Information" .

    OAuth Authentication
  2. Issue an access token using the Client ID and Client Secret key.
    Issue it using API Authentication API Reference.
    How to issue an access token is as follows

    1. Click [Try it out] in the tokens (POST) API.

      POST_tokens1
    2. Enter the items enclosed in a red box and click [Execute].
      In the Request body, enter the Client ID and Client Secret you created in step 1.

      POST_tokens2
    3. The "accessToken" is reported to the Response body.

      POST_tokens3
  3. Specify an Access Token and then use the API for each service.
    The Access Token is specified in the HTTP header as follows.
    'X-Access-Token: <Access Token> '

Note: How to update the Access Token.

When an Access Token is issued, a Refresh Token is issued at the same time.
Before the access token expires, you can use Refresh Token instead of Client ID and Client Secret to reissue the Access Token using the tokens (PATCH) API in API Authentication API Reference.
However, the Refresh Token expires one day from when it is issued.

Note: How to migrate to OAuth 2.0

You can migrate to OAuth 2.0 by changing the API POST /v1/tokens used to obtain the access token in step 2 to the API POST /v2/tokens used in step 2 of "When using OAuth 2.0".