Versions Compared


  • This line was added.
  • This line was removed.
  • Formatting was changed.


  • HTTP Basic Authentication, as described in RFC 2617, for authenticating user accounts
  • API key authentication, using a long-lived key previously allocated by the web console, for administrator functions. For account management you will need the 'Full access' permission set on the key


In order to authenticate to the API, you must


Basic auth can no longer be used for administrator functions due to the multi-factor authentication requirement - you will need an API key (See API keys)

Basic authentication can be used to verify the credentials for an account (these would probably have been collected via a login form). 


API keys long-lived authentication tokens that are associated with an OpenAthens domain or sub-organisation. They have exactly the same hierarchy permissions and restrictions as the organisation where they were created. They have an expiry date measured in years rather than minutes. Long-lived keys are intended for applications to use to authenticate against the API. This decouples an application from the account credentials and means if the administrator changes their password, the application won’t need to be updated to send the new value.

To obtain a long-lived key, you should log into the OpenAthens administration site ( as the administrator you wish to request a key for. Under ‘Management’, select ‘API keys’ and create a new key with the relevant permission. See: API keys