Authentication & Setup

Before you can call the Workflow API you need an integration. You create one in the APLYiD portal, where you provide the Webhook URL we should notify and receive an Access Token to authenticate your requests.

Setting up an integration

Integrations are managed from the APLYiD portal:

Sign in to the APLYiD portal and open the Integrations section.
Create a Test or Live integration (see the difference below).
Enter the Webhook URL — the HTTPS endpoint on your server where we'll send events (you can change this later).
Copy your Access Token. This is the secret you'll send with every API request.

Store your Access Token securely

The Access Token is shown once, at the moment it is created. Store it somewhere safe (for example, your secrets manager). If you lose a Live integration's token you can regenerate it; a Test integration's token cannot be regenerated.

Test vs Live integrations

Both Test and Live integrations use the same base URL and the same authentication header - they differ only in their intended use and management rules. You can set up a Test integration while testing out the product on a free trial. The Access Key generated as part of a Test integration lasts for 30 days. Once you have an active subscription, you can set up a Live integration, with an Access Key that does not expire, and can be regenerated.

	Test integration	Live integration
Intended use	Building and testing your integration while on free trial	Production traffic
Active subscription required	No	Yes
Access Token can be regenerated	No	Yes

Authenticating your requests

Send your Access Token in the X-Workflow-Access-Key header on every request:

X-Workflow-Access-Key: <your access token>

cURLJavaScript

bash

curl https://api.workflow.aplyid.com/integrations/core/cases \
  -X POST \
  -H "Content-Type: application/json" \
  -H "X-Workflow-Access-Key: YOUR_ACCESS_TOKEN" \
  -d '{ "activity": { ... }, "client": { ... } }'

await fetch("https://api.workflow.aplyid.com/integrations/core/cases", {
  method: "POST",
  headers: {
    "Content-Type": "application/json",
    "X-Workflow-Access-Key": "YOUR_ACCESS_TOKEN",
  },
  body: JSON.stringify({ activity: { /* ... */ }, client: { /* ... */ } }),
});

NOTE

The Access Token identifies your company and the integration it belongs to. You do not need to send any other authentication header (no Authorization header is required).

Managing your integration

From the portal you can, at any time:

Update the Webhook URL — point events at a new endpoint (for example, when you move environments).
Regenerate the Access Token — available for Live integrations only. Regenerating immediately invalidates the previous token, so update your systems with the new value.

Authentication errors

If the X-Workflow-Access-Key header is missing or the token is invalid, the request is rejected before it reaches the API:

401 Unauthorized

json

{
  "message": "Unauthorized"
}

Make sure the header name is exactly X-Workflow-Access-Key.

Authentication & Setup ​

Setting up an integration ​

Test vs Live integrations ​

Authenticating your requests ​