Every call made to the LUSID API must be authorised by an API access token.
Note: The recommended and most secure option is to obtain a short-lived OAuth2.0-compliant token on demand from LUSID’s identity provider, Okta.
If it is not possible to use an OAuth2.0-compliant token, you can create a long-lived personal access token and use this to call the API instead. To do this:
- Sign in to the LUSID web app as the user for whom the personal access token is intended. This is important; if you sign in as a LUSID administrator, the personal access token (and thus the calling application or service) will inherit more permissions than required to perform the operations for which it is designed.
- Navigate to Your Profile (account avatar, top right):
- In the Personal access tokens section, specify a Name for display purposes and, optionally, an Expiry date:
- Click Create token. The token is displayed only once. Store it in a secure system. You cannot ask to see it again. A user can have up to 3 personal access tokens concurrently.
You can now use the long-lived personal access token in place of a short-lived Okta-generated API access token to call the LUSID API, for example (actual token shortened for brevity):
curl -X GET https://<your-domain>.lusid.com/api/api/instruments -H "Authorization: Bearer eyJraWQiOiJvZDFzeFk4WTlPalMyZ2dZT3VidVBYT2dRX0dURkcwZ1...wmlxPjh49DYeEuh_w4vt2Q"
To revoke a personal access token, click the Revoke button:
A user’s personal access tokens are automatically revoked when their LUSID account is deleted.