Inbound Authentication

The Moveworks API support two forms of authentication.

  1. OAuth 2.0 Client Credentials
  2. API Key

You can view & manage your API keys in the Events Workspace

  • Click the App Switcher icon (𓃑) in the top right.
  • Select Creator Studio.
  • Select Events.
  • Select Credentials.

Keep your API keys & OAuth 2.0 Clients locked down—they're powerful. Avoid dropping them in places like GitHub or client-side code.

OAuth 2.0 Client Credentials

Provisioning

Moveworks does not store the Client ID or Client Secret in any database internally. Raw credentials are never written to disk. It is hashed upon generation and only the hash is stored.

Client ID and Client Secrets never expire. However, the Access Token generated from them expires every 60 min

Usage

The created Client ID and Client Secret will be exchanged for an Access Token via an API Request.

Request:

Copy
Copied
curl --location --request POST 'https://api.moveworks.ai/oauth/v1/token' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'client_id=<YOUR_CLIENT_ID_HERE>' \
--data-urlencode 'client_secret=<YOUR_CLIENT_SECRET_HERE>' \
--data-urlencode 'grant_type=client_credentials'

Response:

Copy
Copied
{
    "access_token": "mwt_fnl7yb8hqqz3o3gnd37nuydasdatl8p0yooafkc62spzu8rpwnkb7x563g9s",
    "expires_in": 3600,
    "token_type": "Bearer"
}

The returned Access Token will only be valid for 3600 seconds (60 min).

It will be passed a Bearer Token in the header of your Events API Requests.

Example:

Copy
Copied
curl -i -X POST \
  'https://api.moveworks.ai/rest/v1/events/{event_id}/messages/send' \
  -H 'Authorization: Bearer <YOUR_ACCESS_TOKEN_HERE>' \
  -H 'Content-Type: application/json' \
  -d '{
    "message": "This is a rich message that supports <b>bold</b> and <i>italics</i>.<br><br> Did I mention, we also support:<br><ul><li>Lists</li><li><a href=\\\"https://moveworks.com\\\">Links</a></li><li>and just about <a href=\\\"https://www.webfx.com/tools/emoji-cheat-sheet/\\\"> any emoji you want </a>:fire:</li></ul>",
    "recipients": [
      "recipient1@moveworks.ai",
      "recipient2@moveworks.ai"
    ]
  }'

Revocation

In the event that your credential is exposed internally within your organization, you can delete it by clicking the trashcan icon right next to the credential If you are still having issues, reach out to your CSE or support@moveworks.ai to delete them.

API Key

Provisioning

Moveworks does not store the API Key in any database internally. Raw credentials are never written to disk. It is hashed upon generation and only the hash is stored.

API Keys never expire.

Usage

The created API Key is passed as a Bearer Token through a header in the Events API Request.

Example:

Copy
Copied
curl -i -X POST \
  'https://api.moveworks.ai/rest/v1/events/{event_id}/messages/send' \
  -H 'Authorization: Bearer <YOUR_TOKEN_HERE>' \
  -H 'Content-Type: application/json' \
  -d '{
    "message": "This is a rich message that supports <b>bold</b> and <i>italics</i>.<br><br> Did I mention, we also support:<br><ul><li>Lists</li><li><a href=\\\"https://moveworks.com\\\">Links</a></li><li>and just about <a href=\\\"https://www.webfx.com/tools/emoji-cheat-sheet/\\\"> any emoji you want </a>:fire:</li></ul>",
    "recipients": [
      "recipient1@moveworks.ai",
      "recipient2@moveworks.ai"
    ]
  }'

Revocation

In the event that your credential is exposed internally within your organization, you can delete it by clicking the trashcan icon right next to the credential If you are still having issues, reach out to your CSE or support@moveworks.ai to delete them.