Skip to main content

API Keys and JWTs

The Arrotech Hub API securely authenticates requests to isolate customer data.

Authentication Methods

curl -X GET "https://prod.api.arrotechsolutions.com/chat/providers" \
  -H "Authorization: Bearer YOUR_API_KEY"

Developer OAuth (Apps)

To build integrations that work with Arrotech Hub at scale, use our Developer Portal to create an application and obtain OAuth credentials.

2-Legged Flow (Client Credentials)

Best for server-to-server integrations where no user context is required.

curl -X POST "https://prod.api.arrotechsolutions.com/auth/token" \
  -H "Content-Type: application/x-www-form-urlencoded" \
  -d "grant_type=client_credentials" \
  -d "client_id=YOUR_CLIENT_ID" \
  -d "client_secret=YOUR_CLIENT_SECRET" \
  -d "scope=data:read workflow:execute"

3-Legged Flow (Authorization Code)

Used for third-party applications that need to access a user's data with their explicit consent.

  1. Redirect the user to authorize:

    GET https://hub.arrotechsolutions.com/auth/authorize?
      response_type=code&
      client_id=YOUR_CLIENT_ID&
      redirect_uri=YOUR_CALLBACK_URL&
      scope=data:read&
      state=xyz

  2. Exchange the code for a token:

    curl -X POST "https://prod.api.arrotechsolutions.com/auth/token" \
      -d "grant_type=authorization_code" \
      -d "code=AUTHORIZATION_CODE" \
      -d "client_id=YOUR_CLIENT_ID" \
      -d "client_secret=YOUR_CLIENT_SECRET" \
      -d "redirect_uri=YOUR_CALLBACK_URL"

JWT Tokens (Internal Hub Access)

... If you are modifying the Arrotech backend or writing an internally deployed plugin, you may instead pass the standard JWT access token generated by the /auth/login endpoint.

The format remains identical:

Authorization: Bearer <jwt_access_token>

[!important] Production API Keys Only: Ensure you are using a production API key for hitting prod.api.arrotechsolutions.com. Sandbox keys will return a 401 Unauthorized error.