# Setting up authentication

{% embed url="<https://youtu.be/7MCJ_1_ti4k>" %}

## Authentication Overview

We offer multiple authentication methods ranging from **basic auth** to **Oauth2**. Although often used in the same sentence, authentication and authorization are not the same. Authorization happens after your identity has been authenticated (confirmed to be who you are) by an app. Thus, you are authorized to get access to data, files, and the like.

### How to start setting up authentication?

In the side-menu of the app, click on **Connector Auth** to get to the authentication screen. Next, click on the **Add** button in the upper left corner. Now you should see the below screen:

<figure><img src="https://291121471-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-McrRFZHYH27bqKzOVDd%2Fuploads%2FYc9R46coxtkQOncvShvS%2Fimage.png?alt=media&#x26;token=fbaba21c-17e0-40d1-9aee-bd916866fdb7" alt="" width="563"><figcaption></figcaption></figure>

Select the Connector or Helper you want to set auth up for - then:

1. Enter a **Name** that describes the Connector or Helper as well as the environment e.g. DEV, Production or the like.
2. Only enter an **API Endpoint** if the integration requires a subdomain or if you want to send a request e.g. against an older version of the API. You can place the full URL of endpoints later in the FlowBuilder and don't have to do it here.
3. In the **Auth Type** drop-down, depending on whether we offer one or both authentication methods, you will only see those auth types that we offer. For e.g. the Rest helper we offer both, but most likely you will need basic\_auth

## Authentication Type

### Authentication with OAuth2

Let's suppose you select Slack. Enter the name and select oauth2 and then hit Confirm:

<figure><img src="https://291121471-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-McrRFZHYH27bqKzOVDd%2Fuploads%2FoHNPdU6QVg2VCxoPFuED%2Fimage.png?alt=media&#x26;token=315c237f-2e3b-4db8-b245-1a434dc156f1" alt="" width="563"><figcaption></figcaption></figure>

Now you will be redirected to the Slack authentication screen that you may know from other apps. Review the content and click allow:

<figure><img src="https://291121471-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-McrRFZHYH27bqKzOVDd%2Fuploads%2F9C53AcXNBUqVaGUzmUWg%2Fimage.png?alt=media&#x26;token=4fbba9e6-49f8-4e16-9d7c-bb2c94d875ae" alt="" width="563"><figcaption></figcaption></figure>

### Authentication with Basic Auth for helpers

#### Basic Auth for Helpers e.g. REST Helper

To setup basic auth for the REST Helper, enter a name, select basic\_auth, and enter the full API token in the **Auth token** field.&#x20;

<figure><img src="https://291121471-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-McrRFZHYH27bqKzOVDd%2Fuploads%2FfRNjP3De8J1cVJr0OVtI%2Fimage.png?alt=media&#x26;token=f0721ba2-55e6-400a-b0dd-6d93fd78ab32" alt="" width="563"><figcaption></figcaption></figure>

If the token requires a  "Bearer " or "Basic "  prefix enter it in full like this:

```
Bearer ey_my_secret_token
```

or

```
Basic ey_my_secret_token
```

The auth details field is usually not needed. Should your authentication require user:password base64 encoded, please combine the user:password as described, base64 encode it someone on your Computer / Mac, and then enter the base64 encoded string with the prefix like this:

```
Basic my_base_64encoded_token
```

Once all is entered, click **Confirm** and start using the Authentication in all of your automation flows. It is visible only on the Connector or Helper you set it up for.

### Authentication with Basic Auth for Connectors

For connectors, basic auth is setup in the same way as for helpers, but we do the base64 encoding for you and save you some work. \
Example with Freshdesk:

E.g. for Zendesk, which requires a subdomain, Enter the full domain including the subdomain and trailing slash like:&#x20;

* Enter your API-token non-base64 encoded as it is. Locoia does the base64 encoding for you in the background.
* Specify a subdomain. We automatically add it to the endpoint so it looks like this:

```
https://my-company.freshdesk.com/api/v2/
```

<figure><img src="https://291121471-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-McrRFZHYH27bqKzOVDd%2Fuploads%2FG3Vf5eUYekL2p1xObZke%2Fimage.png?alt=media&#x26;token=f523257f-2b40-4963-a1ed-71e7122e1462" alt="" width="563"><figcaption></figcaption></figure>

Finally, hit confirm and start using the authentication in your flows in the FlowBuilder. It is visible only on the Connector or Helper you set it up for.

### Authentication with Private SSH Key

You can use authentication with a private SSH key together with a sFTP connection via the [FTP Helper](https://docs.locoia.com/connectors/helpers/ftp-client). When setting up a new Connector Auth for the FTP Helper, you simply have to change the **Auth Type** to **private**\_**ssh*****\_*****key**:

<figure><img src="https://291121471-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-McrRFZHYH27bqKzOVDd%2Fuploads%2FHKVydTjD9PfXjX7ZGOhW%2Fimage.png?alt=media&#x26;token=6d79fb76-f701-466b-a7b8-812e7aa6ac76" alt="" width="563"><figcaption><p>Changing the <strong>Auth Type</strong> for the FTP Helper</p></figcaption></figure>

You then have to enter your username and upload the private key file.

## Authentication Tips & Tricks

If an API has two endpoints, please create two ConnectorAuths, one for each endpoint.\
Example: the Dropbox API has `api.dropbox.com` for regular API calls and `content.dropbox.com` for all file-related API calls.\
&#x20;This allows you to have individual Base-Domains per each endpoint.

## Authentication FAQs

<details>

<summary>How does Locoia store authentication details?</summary>

Locoia stores authentication details, such as API keys, passwords or refresh tokens, for its users in order to connect to the respective systems on their behalf once users build flows and use those authentications.

First, authentication details are **encrypted on the application level** before they are stored in our database. Secondly, our database and all its content is **additionally encrypted**.

</details>

<details>

<summary>Who can access the authentication details?</summary>

No authentication details can be extracted in any way, other than using them as part of a **request to the respective systems** they are intended for as per Locoia's users.

This means no one, besides the system receiving the request, can see your credentials such as API key or passwords.

</details>

<details>

<summary>Can Locoia employees may access my account for support?</summary>

Yes, but any activity and usage of Authentication e.g. as part of a flow run is logged in audit logs. So if a Locoia employee provides support, this leaves traces and users can see exactly what happened.

</details>