How to access and manage your API token

Introduction

To communicate with iQualify's APIs, external apps must provide a means of authentication. This prevents unauthorised access to your data.

Authentication is granted through the use of an API access token, also called bearer token. This access token is generated by iQualify when an account owner enables the API feature. The API access token can only be viewed by account owners. When calling an API, the external app will send an “Authorization header” containing the access token to the API’s URL, together with the API parameters. When receiving this, iQualify will check the token and either reject the access if not authorised, or accept it and perform the requested action.

This article explains how to:

Enable/disable your API access
View your access token
Use your access token

Data Security

Because the API access token provides access to your learner and organisational data, you need the highest level of permission to access it: you must be an account owner. When you obtain your token, make sure to keep it secure and do not store it anywhere that is openly accessible to others. If you do need to store it outside iQualify or to share it with your developers, it is recommended you use a password manager that allows secure sharing.

How to enable or disable API Access

Account owners can enable API access by navigating to the API Access section of the Account Settings area:

Login as account owner
Click on your avatar (or profile icon) in the top right corner of iQualify
Select Account Settings

Next click on the side navigation bar and select API Access

Enable/disable API Access

To enable access simply tick the appropriate box.
To disable access untick the box.
Then click the Update button to save your changes

Outcomes

When you enable API Access, an API access token will be generated for you. It won’t be visible to you until you have read and agreed to the security statement on that page.
When you disable API Access, any previously generated API access token will become invalid and any previously configured calls to the API will be rejected as unauthorised. Disabling must therefore be done after careful consideration of its implications.
When you re-enable API Access after having disbaled it, a new API access token will be generated, and it is this new token that must be used to access the API.

How to view your API access token

To view your API access token navigate to the API Access section of the Account Settings area:

make sure the API Access is enabled (see above)
read the security statement
press Agree to confirm you agree with it.

Your API access token will be displayed in the form:

Bearer xxxx

where xxxx is a long encrypted string.

You will need to copy this token and paste it into the appropriate fields of the tool you are using to access the API. See below for information.

It is essential to remember that your API token should always be kept secure and private as it provides high level access to your organisational and learner information.

How to use your Access Token

I have my API token, how do I get started?

You will need the API access token when you:

try out an API on our API developer site https://iqualify.readme.io/
access our API via coding - the API Access page shows an example of a curl statement, and the developer site above provides all the info you need.
access our API via an API testing tool like Postman
access our API using an automation tool like Zapier

They will all request you to enter something like an “Authorization header” (with z), which ultimately looks like this:

Authorization: Bearer xxxx

Please note that in some cases you need to paste the entire token including the word “Bearer” followed by a space and the encrypted string, and in some other cases you only need the encrypted string. It depends on the interface that the tool offers for entering the Authorization header.