Authentication options

When building solutions with Qlik Sense SaaS, you have three options for authenticating to your tenant depending on your solution requirements. This document introduces these options and considerations to make when using them.

API Keys

An API key is a token representing a user in your tenant. Anyone may interact with the platform programmatically using the API key. The token contains the user context, respecting the access control privileges the user has in your tenant.

Note: Since API keys are essentially credentials, keep them safe and don't share your API keys with others.

API keys are great for use cases where the key isn't visible to the end-user, such as qlik-cli (command line interface), making requests through scripts, or a machine-to-machine backend solution.

Using API keys requires an Authorization HTTP header in the request to your tenant, and has the format of a JWT token. An example request using curl:

# This curl command will return user information for user context the supplied
# API key is associated with.
  -H "Authorization: Bearer [YOUR_API_KEY]"
  -X GET

To generate an API key, navigate to the tutorials section and click the

Generate your first API key tutorial.

Interactive sign-in

For web applications, using a combination of REST endpoints to evaluate if the browser has an active Qlik Sense SaaS session and a redirect to your tenant's sign-in URL is the best way to authenticate users.

Web applications embedding Qlik Sense objects or data, also known as mashups, require a web integration id in your tenant's configuration. Web integration ids are a security feature of Qlik Sense SaaS for handling Cross-Origin Resource Sharing (CORS) of embedded Qlik Sense SaaS content.

In addition, web applications with Qlik content embedded in them require a cross-site request forgery (CSRF) token supplied in the URI referencing Qlik Sense SaaS APIs and the Qlik Associative Engine.

To learn more about establishing connectivity to Qlik Sense SaaS in a web application, navigate to the tutorials section and click the Build a simple web app tutorial.

JSON Web Tokens (JWT)

A JSON web token - commonly referred to as a "JWT" - is a standard for transmitting information between software applications in the form of a JSON object. Because JWTs are signed digitally, they can be verified and trusted using a public / private key pair.

JWTs have two primary use cases; authorization and information exchange. Qlik Sense SaaS reads JWTs from identity providers during authentication and creates an internal JWT post authentication for use during a platform session.

Unlike the Interactive sign-in authentication option for web applications, the external JWT authorization option in the platform enables client applications to send a custom JWT directly to the platform, bypassing the interactive sign-in to the Qlik tenant, authorize the user to access the platform. The JWT capability enables developers to provide a seamless integration between their application and Qlik.

Applications connecting to Qlik Sense SaaS with JWTs require the same web integration id and cross-site request forgery prevention as any integration with the platform.

To learn more about using JWT authorization with Qlik Sense SaaS, navigate to the tutorials section and click the Create Signed Tokens for JWT Authorization tutorial.

Web integrations

Web integrations is a feature for handling CORS requests in Qlik Sense SaaS. By default, no CORS communication is allowed to your tenant unless an web integration has been configured to allow it. In essence, web integrations control what third-party domains may interact with your tenant APIs. For example, you are creating a web application and that you want to embed or fetch content from your tenant, then a web integration with a list of allowed (whitelisted) domains (also known as origins) needs to be created in the management console.

Note: Solutions built with web integrations only act as a regular user in the system, and any actions that may require TenantAdmin role requires the use of API keys (outside of browser environments) or manually through the Management Console.

Make sure your tenant administrator has created a web integration with your intended domains for your web application.

Qlik Help has step-by-step instructions for tenant administrators.

For more in-depth information how to leverage web integrations in your solutions, see the Build web solutions page.

OAuth 2.0

OAuth is a standard security protocol for authorization and delegation. It allows third party applications to access API resources without disclosing the end-user credentials.

Qlik Sense SaaS supports OAuth 2.0 Authorization Code flow. The OAuth client can obtain an authorization code and exchange it with an access token that can be used to access Qlik Sense SaaS APIs.

To learn more on how to create an OAuth client please navigate to tutorials section and click on Create an OAuth Client.

Once you created your OAuth client. You can integrate your application into Qlik Sense SaaS. Please refer to the following example pages.

Was this page helpful?