Documents for Password authentication and API token authentication for your REST API requests.



When using the REST APIs, an authorization header will be required. There are two main ways to authenticate when using REST APIs. Using password authentication allows the use of REST APIs with user-level permission, meaning that the authenticated user will need to have permission to control the App or space for the API to succeed. The other option is using API tokens to manipulate Apps with REST APIs. Each App in Kintone can create API tokens that will work specifically with that App. Other authentication methods, session authentication and OAuth authentication will also be briefly discussed.

Password authentication

X-Cybozu-Authorization is placed in the request header with a BASE64 encoded login name and password. BASE64 encode is done in the following format: Log_in_name:password.

For example, for a login name of "kintone" and a password of "developer", BASE64 encode "kintone:developer" and add this to the header:

X-Cybozu-Authorization: a2ludG9uZTpkZXZlbG9wZXI=

API token authentication

Each App in Kintone can generate API tokens through the Advanced Settings in the App's settings menu. Refer to the Generating an API Token (External link) article from the Kintone Help for information on generating API tokens from an App.

X-Cybozu-API-Token is placed in the request header with the API Token. If the generated API token of the app is "9wOomr3kpP9d1JS34Uyz72xqQ1pLI4PkcziRFTuZ", add the following to the header:

X-Cybozu-API-Token: 9wOomr3kpP9d1JS34Uyz72xqQ1pLI4PkcziRFTuZ

Multiple API Tokens may be used in the case of performing REST API operations involving Lookup fields or Related Record fields. Specify the API Tokens in the header like so, with a comma in between:

X-Cybozu-API-Token: 9wOomr3kpP9d1JS34Uyz72xqQ1pLI4PkcziRFTuZ,D27Dss1udL2iZtiKMniN0s30goy8gtnnEjn8Z2Ou

The same effect may also be achieved by writing the API Tokens in two separate headers.

Session authentication

Session authentication is a method of authentication where a session ID is assigned to a user by the web server and saved as a cookie. This cookie is used to identify and authenticate the user. Session Authentication can only be used by JavaScript codes that are run on the pages of Kintone. CSRF tokens are necessary when using Session Authentication with POST/PUT/DELETE methods. Refer to the Get CSRF Token documentation for more details on retrieving a CSRF token.

Authentication priority

The priority of authentication is as follows.

  1. Password authentication
  2. API Token authentication
  3. Session authentication

Guest users running API calls will only be able to use session authentication. They cannot use password authentication.

OAuth clients may also be used for authentication. Refer to How to Add OAuth Clients for more information.

Basic authentication(Legacy)

The Basic Authentication feature is a Legacy feature which may not be available anymore for some Kintone domains. Kintone environments that run on a domain will not be able to use the Basic Authentication feature.

Kintone environments using basic authentication will need an additional authorization header. Add "Basic" followed by a BASE64 encoded "Basic_log_in_name:Password". Note that initiating REST APIs for Apps in guest spaces will not need a header for basic authentication, as basic authentication itself cannot be used for guest spaces. If the basic authentication login name is "chocolate" and the password is "pudding", BASE64 encode "chocolate:pudding" and add this to the header:

Authorization:Basic Y2hvY29sYXRlOnB1ZGRpbmc=