API connector authentication

How it works

Each API connector declares an authentication type (e.g. OAuth 2.0, API Key, Bearer Token). This determines what kind of credentials you can create under that connector.

You then create one or more authentication instances—named credential sets with the actual secrets. When you use the connector in a Message, you select which authentication instance to use, and the appropriate headers are injected into the HTTP request automatically.

This design lets you:

Keep separate credentials for different environments (e.g. "Production" and "Staging") on the same connector
Rotate credentials without changing any message configuration
Share a connector definition across teams while using different credentials

Credentials are stored securely and are never returned in API responses after creation.

Authentication types

None — No Authentication

No authentication is applied. Requests are sent without any auth headers.

Use this for public APIs that don't require credentials.

Basic — HTTP Basic Authentication

Standard HTTP Basic Authentication. The username and password are Base64-encoded and sent in the Authorization header with every request.

Required: Username, Password

Injects: Authorization: Basic <base64(username:password)>

{
  "name": "Production Credentials",
  "params": {
    "basic": {
      "username": "my-api-user",
      "password": "my-api-password"
    }
  }
}

Bearer Token — Static Access Token

Sends a static token in the Authorization header. Use this for APIs that provide a long-lived access token that doesn't need to be refreshed.

Required: Token

Injects: Authorization: Bearer <token>

{
  "name": "Production Token",
  "params": {
    "bearerToken": "eyJhbGciOiJIUzI1NiIs..."
  }
}

API Key — Custom Header Authentication

Sends a key-value pair as a custom HTTP header. The header name is configurable — use whatever your API expects (X-API-Key, api-key, Authorization, etc.).

Required: Header name, Key value

Injects: <header-name>: <key-value> (e.g. X-API-Key: sk-abc123)

{
  "name": "Production API Key",
  "params": {
    "apiKey": {
      "name": "X-API-Key",
      "value": "sk-abc123def456"
    }
  }
}

OAuth 2.0 — Client Credentials Flow

Implements the OAuth 2.0 Client Credentials grant. Before each request, RCS Studio automatically fetches an access token from your token endpoint using the client ID and secret, then sends it as a Bearer token.

Required: Token URL, Client ID, Client Secret, Scope

Injects: Authorization: Bearer <access_token>

{
  "name": "Production OAuth",
  "params": {
    "oauth2": {
      "tokenUrl": "https://auth.example.com/oauth/token",
      "clientId": "my-client-id",
      "clientSecret": "my-client-secret",
      "scope": "read write"
    }
  }
}

A new token is fetched per request. Token caching is not currently implemented.

OLO — HMAC Signature Authentication

OLO's proprietary authentication scheme. Each request is signed with an HMAC-SHA256 signature computed from the request method, path, body, and a timestamp. The signature and timestamp are sent as headers.

Required: Client ID, Client Secret

Injects:

Authorization: OloSignature <clientId>:<hmac-sha256-signature>
Date: <UTC timestamp>

{
  "name": "OLO Production",
  "params": {
    "olo": {
      "clientId": "my-olo-client-id",
      "clientSecret": "my-olo-secret-key"
    }
  }
}

Additional headers

All authentication types support additional custom headers. These are extra key-value pairs included with every authenticated request, alongside the auth-specific headers described above.

Use this for any headers your API requires beyond authentication. For example, X-Request-Source, X-Tenant-ID, or other custom headers.

{
  "params": {
    "apiKey": {
      "name": "X-API-Key",
      "value": "sk-abc123"
    },
    "headers": {
      "X-Tenant-ID": "tenant-456",
      "X-Request-Source": "rcs-studio"
    }
  }
}

The headers field can be added to any authentication type.

API Reference

To manage authentication credentials programmatically, see the Connector authentications API.