BFF API authentication

The BFF (Backend-for-Frontend) API uses session-based authentication. All API requests must include a valid session cooking obtained through the authentication flow with your IAM provider.

Authentication flow

IAM authentication: Users authenticate with your configured IAM provider (for example, Okta, Auth0, Keycloak)
Session establishment: Upon successful authentication, the BFF establishes a session and issues a session cookie
API requests: Include the session cookie with each API request to the BFF

Making authenticated requests

Include the session cookie in your requests:

curl -L '/api/organisation/v1' \
  -H 'Accept: application/json' \
  -H 'Cookie: session=your-session-cookie'

The BFF validates your session and handles downstream authentication automatically, including:

Exchanging your IAM authorization token for STS application tokens
Forwarding authenticated requests to Core and other services

Downstream service authentication

The BFF's authentication mode for calling downstream services (Core, Bridge) is configured independently. The BFF can be configured to call these services with:

No authentication (INSECURE_NONE)
Static token authentication (STATIC)
STS mode (STS) - recommended for production

As an API client, you do not need to manage downstream tokens.

Authentication flow​

Making authenticated requests​

Downstream service authentication​

Authentication flow

Making authenticated requests

Downstream service authentication