Create access profile | Workato

Create an access profile belonging to an API client. To use this endpoint, the account must contain at least one API to assign to the access profile.

DEPRECATION NOTICE

This endpoint is planned for deprecation on December 1, 2025. Transition to the Create API key endpoint before this date to ensure uninterrupted service.

The response returned depends on the auth type you choose:

Auth token authorization: returns the auth token in the secret response.
JWT token: has two signing methods: HMAC and RSA. Depending on the method you choose, the respective secret or public is required in the payload.
OAuth 2.0: authorization returns the client ID and secret in oauth_client_id and oauth_client secret.

Create an access profile belonging to an API client. To use this endpoint, the account must contain at least one API to assign to the access profile. <Warning title="DEPRECATION NOTICE"> This endpoint is planned for deprecation on December 1, 2025. Transition to the [Create API key](/oem-api/resources/api-platform/create-api-key) endpoint before this date to ensure uninterrupted service.</Warning> The response returned depends on the auth type you choose: - **Auth token authorization**: returns the auth token in the secret response. - **JWT token**: has two signing methods: HMAC and RSA. Depending on the method you choose, the respective secret or public is required in the payload. - **OAuth 2.0**: authorization returns the client ID and secret in `oauth_client_id` and `oauth_client secret`.

Path parameters

managed_user_idstringRequired

Embedded customer ID (external ID). The External ID must be URL encoded and prefixed with an E. For example, EA2300.

Headers

AuthorizationstringRequired

Bearer authentication of the form Bearer <token>, where token is your auth token.

Request

This endpoint expects an object.

namestringRequired

Name of the access profile.

api_collection_idslist of integersRequired

IDs of collections to add to the access profile.

auth_typestringRequired

Authentication method to validate requests. Available types are: token, jwt, oauth2, and oidc.

api_client_idstringOptional

ID of the API client

jwt_methodstringOptional

The JWT signing method. If the auth_type is jwt, this is required. Available methods are hmac and rsa for HMAC and RSA respectively.

jwt_secretstringOptional

Based on the method, specify the HMAC shared secret or the RSA public key.

oidc_issuerstringOptional

Discovery URL of identity provider or OIDC service. Provide only one of this or oidc_jwks_uri, not both. Only applicable if auth_type is jwt or oidc.

oidc_jwks_uristringOptional

JWKS URL of identity provider or OIDC service. Provide the URL or oidc_issuer, not both. Only applicable if auth_type is jwt or oidc.

access_profile_claimstringOptional

If you wish to use a custom claim to identify this access profile, provide the JWT claim key here. Only applicable if auth_type is jwt or oidc.

required_claimslist of stringsOptional

Provide a list of claims that you plan to enforce. Only applicable if auth_type is jwt or oidc.

allowed_issuerslist of stringsOptional

Provide a list of issuers (represented by the ‘iss’ value in JWT claims) that you plan to allow. If the iss claim is enforced in required_claims, leave this field blank to accept any iss value. This parameter is only applicable when auth_type is set to jwt or oidc.

ip_allow_listlist of stringsOptional

List of IP addresses to be allowlisted.

activestringOptional

Whether the access profile is disabled or not. A client with a disabled access profile cannot call an API.

Response

Success reply

idinteger

ID of the access profile.

namestring

Name of the access profile.

api_client_idinteger

ID of the API client to which this access profile belongs.

api_collection_idslist of integers

IDs of the API collections that are accessible by this access profile.

activeboolean

Indicates whether the access profile is disabled or not.

auth_typestring

Authentication method used in the access profile. Possible values are: token, jwt, oauth2, or oidc.

jwt_methodstring

The JWT signing method. Available methods are hmac and rsa for HMAC and RSA respectively. Only applicable if the auth_type is jwt.

jwt_secretstring

Based on the method, specify the HMAC shared secret or the RSA public key.

oidc_issuerstring

Discovery URL of identity provider or OIDC service. Provide the URL or oidc_jwks_uri, not both. Only applicable if auth_type is jwt or oidc.

oidc_jwks_uristring

JWKS URL of identity provider or OIDC service. Provide only one of this or oidc_issuer, not both. Only applicable if auth_type is jwt or oidc.

access_profile_claimstring

Provide the JWT claim if you plan to use a custom claim to identify this access profile. Only applicable if auth_type is jwt or oidc.

required_claimslist of strings

Provide a list of claims that you plan to enforce. Only applicable if auth_type is jwt or oidc.

allowed_issuerslist of strings

Provide a list of issuers (represented by the iss value in JWT claims) that you plan to allow. If the iss claim is enforced in required_claims, leave this field blank to accept any iss value. This parameter is only applicable when auth_type is set to jwt or oidc.

ip_allow_listlist of strings

List of IP addresses to be allowlisted.

created_atstring

Timestamp in ISO 8601 format.

updated_atstring

Timestamp in ISO 8601 format.

1	curl -X POST https://www.workato.com/api/managed_users/managed_user_id/api_access_profiles \
2	-H "Authorization: Bearer <token>" \
3	-H "Content-Type: application/json" \
4	-d '{
5	"name": "name",
6	"api_collection_ids": [
7	1
8	],
9	"auth_type": "auth_type"
10	}'

1	{
2	"id": 26967,
3	"name": "Sales team",
4	"api_client_id": 1,
5	"api_collection_ids": [
6	1391,
7	1388
8	],
9	"active": true,
10	"auth_type": "token",
11	"jwt_method": "jwt_method",
12	"jwt_secret": "jwt_secret",
13	"oidc_issuer": "oidc_issuer",
14	"oidc_jwks_uri": "oidc_jwks_uri",
15	"access_profile_claim": "access_profile_claim",
16	"required_claims": [
17	"required_claims"
18	],
19	"allowed_issuers": [
20	"allowed_issuers"
21	],
22	"ip_allow_list": [
23	"ip_allow_list"
24	],
25	"created_at": "2020-07-31T09:48:55.337-07:00",
26	"updated_at": "2020-07-31T09:48:55.337-07:00"
27	}

DEPRECATION NOTICE

Path parameters

Headers

Request

Response

Errors

DEPRECATION NOTICE