Authenticating

API Authentication ensures only authorized parties can interact with the available resources and perform necessary actions. UiPath offers multiple methods of authentication for different scenarios.

Learn more about the available authentication methods in the Automation Suite guide.

Local User Authentication via a Bearer Token (ROPC authentication)

Important: We support authentication through ROPC for backwards compatibility for Orchestrator instances that have been migrated from standalone to Automation Suite deployments.Only Host administrators should authenticate using the /api/account/authenticate/ endpoint.Business users should authenticate using External Applications.

The resource owner password credentials authentication method is tenant scoped, therefore external application won't be able to authenticate using this method, as an external app cannot be created at tenant level.

To retrieve the access token, make a POST request to the {OrchestratorURL}/api/account/authenticate endpoint with the following payload:
```
{
    "TenancyName": "{account_tenancy_name}",
    "UsernameOrEmailAddress": "{account_username}",
    "Password": "{account_password}"
}{
    "TenancyName": "{account_tenancy_name}",
    "UsernameOrEmailAddress": "{account_username}",
    "Password": "{account_password}"
}
```
In the above request:
- {account_tenancy_name}—is the tenant unique identifier in your Automation Suite account
- {account_username}—is the username of your Automation Suite account
- {account_password}—is the password used to log in to your Automation Suite account
To find the TenancyName value of your Orchestrator instance, make a GET request to the /odata/Users/UiPath.Server.Configuration.OData.GetCurrentUser endpoint.
The response body returns the bearer token, used by your application to authorize further API calls. Therefore, in the Authorization header of an API call, append Bearer xxxx and replace xxxx with the {access_token} value (for example, Authorization: Bearer eyJhbG ... LnVxjA).
```
{
    "result": "{access_token}",
    "targetUrl": null,
    "success": true,
    "error": null,
    "unAuthorizedRequest": false,
    "__abp": true
}{
    "result": "{access_token}",
    "targetUrl": null,
    "success": true,
    "error": null,
    "unAuthorizedRequest": false,
    "__abp": true
}
```
By default, the access token is valid for 30 minutes. To generate a new one, make another call to the api/account/authenticate endpoint.
Important: If your organization uses the Azure Active Directory model, you must register external applications in Orchestrator and use the OAuth flow.

Accessing Swagger

If you are using Swagger to try our API, just log in to your Orchestrator instance in a separate tab.

The Orchestrator API Swagger definition can be accessed by adding the /swagger/ui/index#/ suffix to your Orchestrator URL. For example, https://{yourDomain} /swagger/ui/index#/.

Note: The Swagger authentication expires according to the parameters set in your Orchestrator instance. By default, it is set to 30 minutes. You can change it by modifying the value of the Auth.Cookie.Expire parameter, in the Web.config file.