Authentication

You need to authenticate requests to use the Qonic API. We support Basic authentication and OAuth 2.1 Authorization Code with PKCE. Basic auth is simpler but less secure; we recommend using OAuth.

Basic authentication

Basic authentication is the simplest way to authenticate your requests. It's a simple username and password combination that you can use to authenticate your requests.

OAuth 2.1 with PKCE (recommended)

The recommended way to authenticate is with OAuth 2.1 Authorization Code Flow + PKCE. This requires a browser login, after which an access token is stored and reused.

Configuration

Use the following values when setting up your OAuth client:

Example flow

  1. Generate a PKCE secret & challenge.
  2. Open {{AUTH_ISSUER}}/authorize in the browser with client_id, redirect_uri, scope, audience, and code_challenge.
  3. After login, a local HTTP server at AUTH_REDIRECT_URI receives the authorization code.
  4. Exchange the code at {{AUTH_ISSUER}}/oauth/token to get an access_token.

Making requests

Use the token in the Authorization header:

Security notes

  • Keep your tokens safe; never commit them to version control.
  • PKCE protects public clients by preventing token interception.
  • Basic authentication should only be used for quick tests, not production.

Full OAuth example (Python)

For a complete, minimal working implementation of the OAuth 2.1 Authorization Code Flow with PKCE in Python, see our Qonic API Python Sample on GitHub .

This script spins up a local HTTP server, opens your browser to log in, and then exchanges the authorization code for tokens you can use with the Qonic API.

Previous
Quickstart
Next
Errors