All APIs use the OAuth 2.0 (OAuth2) protocol for authentication and authorization. To authenticate against the API, you must include an API token, generally referred to as a bearer token, in each API call. A bearer token is a string that is used to give the owner of the token access to a resource. The token should be passed as an "Authorization" header using the "Bearer" authentication scheme.
During development and testing, you can use a test API token associated with your user account.
To create a test API token, follow the steps below:
https://<hostname>/multipass/app/account
. See instructions for getting your hostname to find the hostname for your environment.All user-generated tokens should be kept secure and revoked when they are no longer needed.
To revoke tokens manually, return to your tokens list and click Revoke. Tokens are automatically revoked upon expiry.
These tokens are associated with your personal Gotham user account and must not be used in production applications or committed to shared or public code repositories. We recommend you store test API tokens as environment variables during development.
To include a token in an API call, pass the token in as an "Authorization" header using the "Bearer" authentication scheme. For example:
Copied!1
curl -H "Authorization: Bearer <your token>" "https://<hostname>/api/gotham/v1/objects/<objectPrimaryKey>"
We strongly recommend all production applications use OAuth2 for authentication.
Gotham offers Authentication Code grants to allow a third-party application to act on behalf of its users, as well as Client Credentials grants that allow an application to act as a service user.
For information on how to integrate your third-party application with Palantir Gotham, consult our documentation on registering and managing third-party applications in the platform.