Back to Documentation
Documentation / API Reference / Authentication & Security

Authentication & Security

Secure your API requests with industry-standard authentication

Security Standards

OAuth 2.0

Industry standard

TLS 1.3

Encrypted transport

HMAC SHA-256

Request signing

API Key Authentication

The simplest method for server-to-server communication:

1. Generate API Key

Navigate to Settings → API Keys in your dashboard

API Key: sk_live_1234567890abcdefghijklmnop
Secret: sk_secret_abcdefghijklmnopqrstuvwxyz123456

2. Include in Headers

Authorization: Bearer sk_live_1234567890abcdefghijklmnop

Security: Never expose API keys in client-side code. Use environment variables.

OAuth 2.0 Flow

Authorization Code Grant

For applications that can securely store secrets:

Step 1: Redirect to Authorization

https://auth.cognexiaai.com/oauth/authorize?
  client_id=YOUR_CLIENT_ID&
  redirect_uri=https://yourapp.com/callback&
  response_type=code&
  scope=crm:read crm:write hr:read

Step 2: Exchange Code for Token

curl -X POST https://auth.cognexiaai.com/oauth/token \
  -H "Content-Type: application/json" \
  -d '{
    "grant_type": "authorization_code",
    "code": "AUTH_CODE",
    "client_id": "YOUR_CLIENT_ID",
    "client_secret": "YOUR_CLIENT_SECRET",
    "redirect_uri": "https://yourapp.com/callback"
  }'

Response:

{
  "access_token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...",
  "token_type": "Bearer",
  "expires_in": 3600,
  "refresh_token": "refresh_1234567890",
  "scope": "crm:read crm:write hr:read"
}

Refresh Token

curl -X POST https://auth.cognexiaai.com/oauth/token \
  -H "Content-Type: application/json" \
  -d '{
    "grant_type": "refresh_token",
    "refresh_token": "refresh_1234567890",
    "client_id": "YOUR_CLIENT_ID",
    "client_secret": "YOUR_CLIENT_SECRET"
  }'

Scopes & Permissions

crm:readRead CRM contacts and deals
crm:writeCreate and update CRM data
hr:readRead employee data
hr:writeManage employees and attendance
finance:readView financial records
finance:writeCreate invoices and transactions
adminFull administrative access

Webhook Signatures

Verify webhook authenticity using HMAC signatures:

const crypto = require('crypto');

function verifyWebhook(payload, signature, secret) {
  const hmac = crypto
    .createHmac('sha256', secret)
    .update(payload)
    .digest('hex');
  
  return crypto.timingSafeEqual(
    Buffer.from(signature),
    Buffer.from(hmac)
  );
}

// Usage
const isValid = verifyWebhook(
  req.body,
  req.headers['x-cognexia-signature'],
  process.env.WEBHOOK_SECRET
);

Security Best Practices

Rotate API Keys Regularly

Change keys every 90 days or after team member changes

Use Environment Variables

Never hardcode keys in source code or commit to version control

Principle of Least Privilege

Request only the scopes you need

Next Steps

Rate Limits →

API quotas

OAuth Setup →

Full integration

Webhooks →

Event handling