{"templateId":"markdown","sharedDataIds":{"sidebar":"sidebar-sidebars.yaml"},"props":{"metadata":{"markdoc":{"tagList":[]},"type":"markdown"},"seo":{"title":"Authenticating with Hyperproof","description":"Hyperproof developer resources for custom integrations.","llmstxt":{"hide":false,"sections":[{"title":"Table of contents","includeFiles":["**/*"],"excludeFiles":[]}],"excludeFiles":[]}},"dynamicMarkdocComponents":[],"compilationErrors":[],"ast":{"$$mdtype":"Tag","name":"article","attributes":{},"children":[{"$$mdtype":"Tag","name":"Heading","attributes":{"level":2,"id":"authenticating-with-hyperproof","__idx":0},"children":["Authenticating with Hyperproof"]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Every HTTP request made to Hyperproof APIs must be authenticated by Hyperproof. Hyperproof uses ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["OAuth 2.0"]}," as the primary means for request authentication."]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":3,"id":"using-oauth-20","__idx":1},"children":["Using OAuth 2.0"]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["OAuth 2.0 allows applications to obtain access to objects in Hyperproof such as controls, labels, issues, proof, custom fields, etc."]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["The following sections provide an overview of the OAuth protocol and how it's used with the Hyperproof API."]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":3,"id":"oauth-roles","__idx":2},"children":["OAuth roles"]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["The OAuth protocol defines four specific roles. These roles are actively involved in the process of the authentication flow with Hyperproof APIs:"]},{"$$mdtype":"Tag","name":"ul","attributes":{},"children":[{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Resource owner"]}," - The resource owner is an active Hyperproof user who can either authorize or decline a client from accessing information in a Hyperproof organization."]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Authorization server"]}," - The authorization server is responsible for authenticating the user and allowing them to consent to API access. The authorization server also provides access tokens and refresh tokens."]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Resource server"]}," - The resource server is the server that hosts the resource. If your app integrates with the Hyperproof API to obtain data that resides in a Hyperproof organization, the Hyperproof API server is considered the resource server."]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Client"]}," - The client is the app that requests access to the user’s information. If your app makes access requests to the Hyperproof API, your app is considered to be the client."]}]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Note"]},": In this article, you'll notice the terms \"Client\" and \"app\" are used interchangeably. Both of these terms refer to the app that needs to integrate with the Hyperproof API."]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":3,"id":"oauth-grant-types","__idx":3},"children":["OAuth grant types"]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Hyperproof APIs supports ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["client credentials"]},"."]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["The benefits of the client credentials flow are:"]},{"$$mdtype":"Tag","name":"ul","attributes":{},"children":[{"$$mdtype":"Tag","name":"li","attributes":{},"children":["Is intended for a specific Hyperproof organization, or"]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":["Runs as a machine-to-machine integration (e.g. a CLI tool, background service, or backend process)."]}]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["It generates an access token, which must be included in the authorization header of your API requests."]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["For more information, refer to ",{"$$mdtype":"Tag","name":"MarkdownLink","attributes":{"href":"/hyperproof-api/api-002-oauth-client-credentials-flow"},"children":["OAuth client credentials flow"]},"."]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":2,"id":"api-requests","__idx":4},"children":["API requests"]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["All API requests must be made over HTTPS."]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["The base URL for the request is ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["https://api.hyperproof.app/v1/"]},". The complete URL varies depending on the resource being accessed."]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["For example, to list all of the controls in an organization, you must make an ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["HTTP GET"]}," request to this URL: ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["https://api.hyperproof.app/v1/controls"]},". For this API to succeed, your app must have the ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["control.read"]}," scope."]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["The access token retrieved through the OAuth 2.0 authorization code flow or the client credentials flow must be included in each request using the authorization header:"]},{"$$mdtype":"Tag","name":"CodeBlock","attributes":{"header":{"controls":{"copy":{}}},"source":"Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ2ZXIiOiIxLjAiLCJpc3...\n"},"children":[]}]},"headings":[{"value":"Authenticating with Hyperproof","id":"authenticating-with-hyperproof","depth":2},{"value":"Using OAuth 2.0","id":"using-oauth-20","depth":3},{"value":"OAuth roles","id":"oauth-roles","depth":3},{"value":"OAuth grant types","id":"oauth-grant-types","depth":3},{"value":"API requests","id":"api-requests","depth":2}],"frontmatter":{"seo":{"title":"Authenticating with Hyperproof"}},"lastModified":"2026-06-08T17:56:17.000Z","pagePropGetterError":{"message":"","name":""}},"slug":"/hyperproof-api/authentication","userData":{"isAuthenticated":false,"teams":["anonymous"]},"isPublic":true}