Skip to main content
The FirstQuadrant API supports two types of authentication:
  1. API Keys - For programmatic access
  2. Access Tokens - For user authentication

API keys

API keys are used for programmatic access to the FirstQuadrant API. They are prefixed with fqa_ and can be generated from the web application’s settings.

Obtaining an API key

  1. Log in to your FirstQuadrant account
  2. Go to Settings > API Keys
  3. Click “Create API Key”
  4. Give your API key a name and select the required scopes
  5. Copy the generated API key immediately - you won’t be able to see it again

Using API keys

Include your API key in the Authorization header:

API key scopes

API keys can be restricted to specific scopes using the following format:
Where:
  • <resource> is the resource type (e.g., user, organization, campaign)
  • <action> is the action type (e.g., * for all actions)
  • <permission> is either read or write
Examples:
  • urn:firstquadrant:user:*:read - Read access to user resources
  • urn:firstquadrant:organization:*:write - Write access to organization resources
  • urn:firstquadrant:*:*:read - Read access to all resources (sudo)

Organization context

When using API keys, you must include the organization ID in the FirstQuadrant-Organization-ID header:

Access tokens

Access tokens are used to authenticate users who are logged into the FirstQuadrant web application. They are JWT tokens that contain user information and permissions.

Obtaining an access token

  1. Log in to your FirstQuadrant account through the web application
  2. Your access token will be automatically included in all API requests made through the web interface
  3. For programmatic access, you can use the refresh token flow described below

Using access tokens

Include your access token in the Authorization header:

Refresh token flow

  1. When you first authenticate, you’ll receive both an access token and a refresh token
  2. Access tokens expire after 24 hours
  3. To get a new access token, send a POST request to /auth with your refresh token:
The response will include new access and refresh tokens:

Error responses

The API will return the following error responses for authentication issues:

401 Unauthorized

403 Forbidden

Security best practices

  1. Never share your API keys or access tokens
  2. Rotate API keys regularly
  3. Use the minimum required scopes for API keys
  4. Store tokens securely and never commit them to version control
  5. Use environment variables for storing sensitive credentials