Create access profile | Workato

Create an access profile belonging to an API client. To use this endpoint, the account must contain at least one API collection to assign to the access profile.

DEPRECATION NOTICE

This endpoint is planned for deprecation on December 1, 2025. Transition to the Create an API key endpoint before this date to ensure uninterrupted service.

The response returned depends on the auth type chosen (Auth token, JSON web token, or OAuth 2.0).

Auth token: returns the auth token in the secret response.
JWT token: has two signing methods: HMAC and RSA. Depending on the method you choose, the respective secret or public is required in the payload.
OAuth 2.0: returns the client ID and secret in oauth_client_id and oauth_client secret.

Create an access profile belonging to an API client. To use this endpoint, the account must contain at least one API collection to assign to the access profile. <Warning title="DEPRECATION NOTICE"> This endpoint is planned for deprecation on December 1, 2025. Transition to the [Create an API key](/workato-api/resources/api-platform/create-api-key) endpoint before this date to ensure uninterrupted service.</Warning> The response returned depends on the auth type chosen (Auth token, JSON web token, or OAuth 2.0). - **Auth token**: returns the auth token in the secret response. - **JWT token**: has two signing methods: HMAC and RSA. Depending on the method you choose, the respective secret or public is required in the payload. - **OAuth 2.0**: returns the client ID and secret in `oauth_client_id` and `oauth_client secret`.

Headers

AuthorizationstringRequired

Bearer authentication of the form Bearer <token>, where token is your auth token.

Request

This endpoint expects an object.

namestringRequired

Name of the access profile.

api_collection_idslist of integersRequired

IDs of collections to add to the access profile.

auth_typestringRequired

The authentication method used to validate requests. Available types are: token, jwt, oauth2, and oidc.

api_client_idstringOptional

ID of the API client.

jwt_methodstringOptional

The JWT signing method. If the auth_type is jwt, this is required. Available methods are hmac and rsa for HMAC and RSA respectively.

jwt_secretstringOptional

Based on the method, specify the HMAC shared secret or the RSA public key.

oidc_issuerstringOptional

The discovery URL of the identity provider or the OIDC service. Provide only one of this or oidc_jwks_uri, not both. Only applicable if auth_type is jwt or oidc.

oidc_jwks_uristringOptional

JWKS URL of identity provider or OIDC service. Provide only one of this or oidc_issuer, not both. Only applicable if auth_type is jwt or oidc.

access_profile_claimstringOptional

Provide the JWT claim key to use a custom claim to identify this access profile. Only applicable if auth_type is jwt or oidc.

required_claimslist of stringsOptional

Provide a list of claims to enforce. Only applicable if auth_type is jwt or oidc.

allowed_issuerslist of stringsOptional

Provide a list of issuers (represented by the iss value in JWT claims) to allow. If the iss claim is enforced in required_claims, leave this field blank to accept any iss value. This parameter is only applicable when auth_type is set to jwt or oidc.

ip_allow_listlist of stringsOptional

List of IP addresses to be allowlisted.

activestringOptional

Indicates whether the access profile is disabled or enabled. A client with a disabled access profile cannot call APIs.

Response

Success reply

idinteger

ID of the access profile.

namestring

Name of the access profile.

api_client_idinteger

ID of the API client to which this access profile belongs to.

api_collection_idslist of integers

IDs of the API collections that are accessible by this access profile.

activeboolean

Indicates whether the access profile is disabled or enabled.

auth_typestring

Authentication method used in the access profile. Possible values are token, jwt, oauth2, and oidc.

jwt_methodstring

The JWT signing method. Available methods are hmac and rsa for HMAC and RSA respectively. Only applicable if the auth_type is jwt.

jwt_secretstring

Based on the method, specify the HMAC shared secret or the RSA public key.

oidc_issuerstring

Discovery URL of identity provider or OIDC service. Provide only one of this or oidc_jwks_uri, not both. Only applicable if auth_type is jwt or oidc.

oidc_jwks_uristring

JWKS URL of identity provider or OIDC service. Provide only one of this or oidc_issuer, not both. Only applicable if auth_type is jwt or oidc.

access_profile_claimstring

If you wish to use a custom claim to identify this access profile, provide the JWT claim key here. Only applicable if auth_type is jwt or oidc.

required_claimslist of strings

Provide a list of claims that you wish to enforce. Only applicable if auth_type is jwt or oidc.

allowed_issuerslist of strings

Provide a list of issuers (represented by the iss value in JWT claims) that you wish to allow. If the iss claim is enforced in required_claims, leave this field blank to accept any iss value. This parameter is only applicable when auth_type is set to jwt or oidc.

ip_allow_listlist of doubles

List of IP addresses to be allowlisted.

created_atstring

Timestamp in ISO 8601 format.

updated_atstring

Timestamp in ISO 8601 format.

1	curl -X POST https://www.workato.com/api/api_access_profiles \
2	-H "Authorization: Bearer <token>" \
3	-H "Content-Type: application/json" \
4	-d '{
5	"name": "name",
6	"api_collection_ids": [
7	1
8	],
9	"auth_type": "auth_type"
10	}'

1	{
2	"id": 26985,
3	"name": "Acme",
4	"api_client_id": 1255,
5	"api_collection_ids": [
6	1395
7	],
8	"active": true,
9	"auth_type": "token",
10	"jwt_method": "jwt_method",
11	"jwt_secret": "jwt_secret",
12	"oidc_issuer": "oidc_issuer",
13	"oidc_jwks_uri": "oidc_jwks_uri",
14	"access_profile_claim": "access_profile_claim",
15	"required_claims": [
16	"required_claims"
17	],
18	"allowed_issuers": [
19	"allowed_issuers"
20	],
21	"ip_allow_list": [
22	192.158138,
23	193.149127
24	],
25	"created_at": "2020-06-15T22:20:15.327-07:00",
26	"updated_at": "2020-06-15T22:20:15.327-07:00"
27	}

DEPRECATION NOTICE

Headers

Request

Response

Errors

DEPRECATION NOTICE