Atlas supports two methods for authentication: API keys and ID tokens.

API keys don't expire and therefore don't require any lifecycle management. Most third and first-party applications will want to use API keys and we recommend doing so with owning user for full access.

ID tokens expire after one hour and must be refreshed using refresh tokens, which last for 30 days. These tokens are issued by a designated OAuth 2 compliant auth server.

Terminology

Auth on Atlas broadly means the following things:

Authentication: verifying your identity as a user of Atlas
Authorization: governs what you're allowed to do
Accessibility: defines what data you're allowed to access

Authentication

You must provide an ID Token to verify your identity as a valid user with Atlas. ID Tokens follow the OAuth standard and are implemented as JWT (Javascript Web Tokens).

Authorization

Is determined by the permission codes ascribed to the user profile being used to access Atlas. Permissions are tightly coupled to the ID token; if they change you ought to request a new ID token to make sure you're granted proper abilities.

Accessibility

Your profile, at the request of your firm's administrator, may be ring-fenced to specific data. Ring fences can be setup at a household level; if your user is indeed ring fenced to a subset of households within the firm you won't be able to see the entire firm's data, regardless of what permissions you have.