Authentication of API requests

People Service APIs require authentication for most requests to ensure that only authorized users can access and modify user data. This section provides details on how to ensure secure communication with People Service APIs by authenticating your API requests.

OIDC authentication for API requests

People Service uses OpenID Connect (OIDC) for authentication and requires a valid authorization token to authorize API requests. The authorization token is generated by People Service after successfully authenticating against the configured identity provider.

As OIDC focuses on browser-based Single Sign-On (SSO) flows, the APIs can only be used after a user has authenticated using a browser. Then, People Service issues an access token that can be used to authenticate API requests. This token is passed in the Authorization header of the API request.

Valid tokens can also be generated with alternate providers since the JWT token secret and expiration are configurable. People Service provides the API endpoint dx/api/people/v1/auth/token to provide a valid token for API requests. If the token is valid, it will be used in subsequent API requests for the user's browser session.

For more information about authentication in general, refer to Authentication.