Learn how Wristband authenticates API requests.
Wristband uses the following two schemes to authenticate API requests:
- Bearer Authentication
- Basic Authentication
Most Wristband APIs use Bearer authentication. However, for APIs that must be accessed before a bearer token is created, Basic authentication is required instead. In the sections below, we'll explain how to authenticate with Wristband APIs using these two schemes.
Bearer Authentication
This is the primary method for authenticating API requests. To authenticate using the Bearer authentication scheme, you'll first need to acquire an access token. Access tokens can be acquired for the following two entities:
- Users
- Clients
Acquiring Access Tokens For Users
User access tokens are generated by calling the Create Tokens API using the authorization_code
grant type. Typically, you'll call the Create Tokens API as part of your Callback Endpoint, after a user successfully logs in to your application.
Acquiring Access Tokens For Clients
Client access tokens are generated by calling the Create Tokens API using the client_credentials
grant type. This is the recommended way to acquire an access token when manually calling Wristband APIs with tools like cURL or Postman. For more information on how to create access tokens using the client_credentials
grant type, please see the Getting Access Tokens to Test Wristband APIs tutorial.
Using Access Tokens to Authenticate
Once you've acquired an access token (for either a user or client), you can then pass it in the HTTP Authorization
header using the Bearer authentication scheme as shown below:
Authorization: Bearer <access_token>
When the request is received, Wristband validates the access token to authenticate the user or client. If the access token is valid, Wristband processes the API request; otherwise, a 401 response is returned.
Identifying APIs That Use Bearer Authentication
In the API reference, to identify which APIs require Bearer authentication, check the "Credentials" section to see if it says "Bearer".

Basic Authentication
Some Wristband APIs must be called before a bearer token can be created. These APIs use Basic authentication, which requires credentials to be computed by base64 encoding a client ID and secret, separated by a colon (:
). For example, if the client ID was client1
and its corresponding secret was abc
, the credentials would be computed as follows:
base64Encode(client1:abc)
Once the credentials have been computed, you can then pass them in the HTTP Authorization
header using the Basic authentication scheme as shown below:
Authorization: Basic <credentials>
When the request is received, Wristband validates the credentials to authenticate the client. If the credentials are valid, Wristband processes the API request; otherwise, a 401 response is returned.
Identifying APIs That Use Basic Authentication
In the API reference, to identify which APIs require Basic authentication, check the "Credentials" section to see if it says "Basic".

Unauthenticated APIs
Some APIs, like the Authorize API, don't require authentication. These APIs are either intended for public access or use an ephemeral code to authorize the request. For these APIs, the HTTP Authorization
header can be omitted from the request.
Identifying Unauthenticated APIs
In the API reference, to identify which APIs don't require authentication, check to see if the "Credentials" section is missing.
