API User's Guide

Authenticating users

Updated in 8.7

External applications that integrate with Alloy Navigator via the API must have a matching account in Alloy Navigator. The API supports two types of accounts, the type of account defines the security context of the API user:

  • Application accounts, or just applications, are used by third-party applications that run without a signed-in user present. For details, see Authenticating applications.

  • Technician accounts are used by third-party applications that have a signed-in user present, and that user is an Alloy Navigator technician. Those applications act as the signed-in technician when performing workflow actions via the API.

This article describes how to authenticate applications in Alloy Navigator using technician accounts. Depending on how you want to personalize actions that the application will perform in Alloy Navigator via the API, you can either dedicate a special technician account for API requests or use any other technician account, associated with a real technician.

NOTE: Technician accounts are user accounts for technical staff members who work with Alloy Navigator. For details, see Settings App Help: Managing Technician accounts.

The level of access an API user has to Alloy Navigator is the same, whether the user accesses Alloy Navigator over the API or any other Alloy Navigator module. When access is denied, the API returns a corresponding error message.

The API supports two types of user authentication:

You choose the authentication type when you configure the API module using the Web Configuration tool, on the User Authentication Type page.

NOTE: Since version 8.7, the API module also supports LDAP user authentication: it enables technicians to use their domain credentials with standard authentication for signing in to web and mobile applications. The API also enables user impersonation, see Performing operations on behalf of other users.

INFO: For details, see Installation Guide: Configuring the API module.

Windows authentication

When the API is configured to use Windows authentication, requests to the API must contain authentication information to identify a Windows user account.

The easiest way to generate such requests is to send them under a Windows account that has a matching technician account in Alloy Navigator.

Access Token authentication

When the API is configured to use Access Token authentication, you must obtain an API access token and then specify it in the Authorization header of every request sent to the API.

Obtaining an API Access Token

API access tokens are unique identifiers associated with your Alloy Navigator technician account. Once you have a token, you can specify it in the Authorization header when sending requests to the API.

IMPORTANT: API access tokens are valid for 8 hours.

To obtain an access token, send a POST request to this URL: [API URL]/token.

[API URL] is the API URL, such as https://navigator.example.com/api.

TIP: To view the API URL, start the Web Configuration tool on the web server and navigate to the API module using the sidebar. The URL will be displayed in the main pane, among other configuration information.

HTTP method




POST parameters
Parameter Description


This parameter must be set to password.


The username of the Alloy Navigator technician account.


The password for the Alloy Navigator technician account.

NOTE: Accounts with Windows authentication also require specifying the password.


Here is an example of a correct request.

POST parameters:

grant_type: password
username: <username>
password: <password>


	"access_token": "m_egolZq...zkw",
	"token_type": "bearer",
	"expires_in": 28799

In case of an invalid request the server returns an error message. The following errors may appear:

Error Description


Invalid grant_type, must be password.


Incorrect username or password.