AuthRocket is comprised of 3 different APIs: the AuthRocket Core API, the AuthRocket Extended API, and the LoginRocket API.
This document covers how to make requests with the 2 AuthRocket APIs (via *.authrocket.com). To access the LoginRocket API, see Accessing the LoginRocket API.
TLS is required. Additionally, the AuthRocket APIs respond only on port 443 so as to prevent the accidental leakage of sensitive user data.
While the API endpoints may vary per account, they will always end with .authrocket.com. Your account’s endpoint URL will be displayed in the management portal next to your Secret API Key.
The API only sends JSON responses. All API requests must indicate that they are requesting JSON payloads:
Accept: application/json
Authentication information is sent using an HTTP header:
X-Authrocket-Api-Key: ko_0ut5nPLwrV9PxSRGy8OMZI-e34b5ff952f5e43de641d6e96a9a5d58
The API key may be found in the AuthRocket management portal under Realm -> Integration. Additional keys can be added and deleted from AuthRocket -> Settings -> API keys.
Legacy note: Previously, two headers were required: account (beginning with org_) and API key (beginning with key_). This older method is still supported:
X-Authrocket-Account: org_0ut5nPLwrV9PxSRGy8OMZI
X-Authrocket-Api-Key: key_e34b5ff952f5e43de641d6e96a9a5d58
Payloads sent to the API via POST or PUT requests may be sent as JSON or as standard url-encoded form data. JSON payloads are recommended as they are much easier to read when using nested data.
Content-type: application/json
Content-type: application/x-www-form-urlencoded
If your app only uses a single realm, you may specify a default Realm ID via HTTP header. This is optional as a realm_id may always be passed as part of individual API calls.
If using more than one realm, do not set a default realm. Instead, send it as part of the request (via query param or request body).
X-Authrocket-Realm: rl_0v1zTHXhtNgmDaXaDYSAqx
The realm ID can be found alongside the API key in the management portal under Realm -> Integration.
If you’re writing an AuthRocket library for use by 3rd-parties, a User-agent header with contact info for the library author(s) is required (a GitHub or other URL is fine). This enables us to reach out in the event we see something that needs to be addressed.
For everyone else, the User-agent header is optional, but adding one and including some kind of version identifier may be useful for your own debugging.
User-agent: <Your library or app, with URL or email>
Responses from the API will indicate the delivery of a JSON payload:
Content-type: application/json
All API responses will include X-Request-ID, which is unique to each request. If you have a question about a specific API call, sending the request ID will make it much easier for us to help you debug the issue.
X-Request-ID: rq_0vdbINw16QhITBp4iBhgX4
API responses all deliver an appropriate HTTP Status: header. The numeric portion of this status code should be checked before attempting to parse the body response. See Status codes for more details.
Questions? Find a Typo? Get in touch.