Authentication overview

Classify is an API security platform designed for real-time threat detection and sensitive data discovery within APIs. Proper authentication is fundamental to integrating Classify with your existing infrastructure and ensuring secure access to its API protection capabilities.

Authentication with Classify primarily involves securing access to the Classify API for programmatic interaction and enabling secure administrative access to the Classify platform UI. For programmatic integrations, developers typically use API keys. For user-based access and integrations requiring delegated authorization, Classify supports OAuth 2.0, providing a standardized framework for secure access without sharing user credentials. The agentless deployment model means that authentication focuses on securing the communication channels through which Classify receives data (e.g., cloud logs, API gateway traffic) and granting authorized access to the Classify platform itself for configuration and monitoring Classify official documentation.

Supported authentication methods

Classify supports key authentication methods to accommodate various integration scenarios, from automated scripts to user-driven administrative tasks. The choice of method depends on the context of the interaction and the desired security posture, aligning with industry best practices for API security OAuth 2.0 official website.

Method When to Use Security Level
API Key Programmatic access (e.g., CI/CD pipelines, backend services, scripting for automated tasks). Ideal for server-to-server communication where a static, secret key is managed securely. High (when managed securely). Requires careful handling to prevent exposure; offers direct access to authorized resources.
OAuth 2.0 User-based access to the Classify platform UI, integrations requiring delegated authorization, or when integrating with identity providers. Suitable for applications needing to act on behalf of a user without direct credential management. Very High. Provides granular control over permissions and leverages established authorization flows (e.g., Authorization Code Grant) to minimize credential exposure. Tokens are short-lived and refreshable.

API Key Authentication

API keys are unique, secret tokens used to authenticate requests made to the Classify API. Each API key is associated with a specific set of permissions, allowing fine-grained control over what actions an application or service can perform. When using API keys, they are typically included in the request headers (e.g., Authorization: Bearer YOUR_API_KEY or a custom header like x-api-key: YOUR_API_KEY). It is critical to treat API keys as sensitive credentials, similar to passwords, to prevent unauthorized access to your Classify environment.

OAuth 2.0 Authentication

OAuth 2.0 is an industry-standard protocol for authorization that allows an application to obtain limited access to a user's account on an HTTP service, such as Classify. It works by delegating user authentication to the authorization server, which then issues access tokens to the client application. This method is particularly useful for:

  • User Interface (UI) Access: Enabling users to log into the Classify platform securely, often integrated with an organization's existing Identity Provider (IdP).
  • Third-Party Integrations: Allowing other services or applications to interact with Classify on behalf of a user with specific permissions.

Classify typically employs standard OAuth 2.0 flows, such as the Authorization Code Grant, for web applications and user-facing integrations. This flow involves a redirection to Classify's (or its IdP's) authorization server, user consent, and then a redirect back to the client application with an authorization code, which is then exchanged for an access token. For detailed implementation steps, consult the Classify API reference documentation.

Getting your credentials

Accessing your Classify API keys and configuring OAuth 2.0 integrations typically involves a few steps within the Classify administrative console. The process is designed to ensure that credential generation and management are secure and auditable.

Generating API Keys

  1. Log In: Access your Classify platform administrator console using your established credentials.
  2. Navigate to API Settings: Locate the section dedicated to API Keys or Integrations, usually found under 'Settings', 'Security', or 'Developer' options.
  3. Create New Key: Initiate the creation of a new API key. You may be prompted to provide a name or description for the key to help with identification and management.
  4. Assign Permissions: Define the scope and permissions for the new key. Grant only the necessary minimum privileges (Principle of Least Privilege) required for the integration to function.
  5. Record Key: The API key will be displayed once. It is crucial to copy and store this key securely immediately, as it may not be retrievable again after you leave the page for security reasons.

For detailed instructions, refer to the Classify security documentation.

Configuring OAuth 2.0

Setting up OAuth 2.0 for Classify involves registering your client application with Classify's authorization server (or configuring Classify to use your existing Identity Provider).

  1. Access OAuth Settings: In the Classify admin console, navigate to the 'Integrations', 'Identity Providers', or 'OAuth Applications' section.
  2. Register Client Application: Provide details about your application, including:
    • Client Name: A human-readable name for your application.
    • Redirect URI(s): The URL(s) to which the user will be redirected after authorization. These must be exact matches to prevent redirection attacks.
    • Application Type: (e.g., Web Application, Single-Page Application).
  3. Receive Client ID and Client Secret: Upon registration, Classify will provide a Client ID and a Client Secret. The Client ID is public, but the Client Secret must be kept confidential.
  4. Configure Scopes: Define the permissions (scopes) your application will request from the user.
  5. Integrate with Your Application: Use the Client ID, Client Secret, and configured scopes to implement the OAuth 2.0 flow within your client application, following the OAuth 2.0 specification RFC 6749, The OAuth 2.0 Authorization Framework.

Always consult the Classify developer documentation for the most current and specific OAuth 2.0 configuration guidelines.

Authenticated request example

Once you have obtained your API key, you can use it to authenticate requests to the Classify API. Below is an example using cURL, demonstrating how to include an API key in the Authorization header.

This example assumes a hypothetical Classify API endpoint for retrieving an API inventory.

curl -X GET \
  'https://api.classify.io/v1/inventory' \
  -H 'Accept: application/json' \
  -H 'Authorization: Bearer sk_live_YOUR_CLASSIFY_API_KEY'

In this example:

  • -X GET specifies the HTTP method.
  • 'https://api.classify.io/v1/inventory' is the API endpoint.
  • -H 'Accept: application/json' requests the response in JSON format.
  • -H 'Authorization: Bearer sk_live_YOUR_CLASSIFY_API_KEY' is the crucial authentication header, where sk_live_YOUR_CLASSIFY_API_KEY should be replaced with your actual, securely obtained Classify API key.

For specific endpoints and expected request/response formats, refer to the Classify API reference.

Security best practices

Adhering to security best practices is essential when authenticating with Classify to protect your API security posture and prevent unauthorized data access or platform manipulation. Classify's SOC 2 Type II compliance underscores the importance of robust security measures, which should extend to how users manage their credentials.

  • Principle of Least Privilege: Grant API keys and OAuth tokens only the minimum necessary permissions required for their intended function. Periodically review and adjust permissions as needs change.
  • Secure Storage of Credentials: Never hardcode API keys directly into source code. Use environment variables, secret management services (e.g., AWS Secrets Manager, Google Secret Manager, Azure Key Vault), or secure configuration files. For OAuth client secrets, ensure they are stored on a secure server and never exposed client-side.
  • Regular Key Rotation: Implement a strategy for regularly rotating API keys. This practice minimizes the window of opportunity for an attacker if a key is compromised.
  • Monitor API Usage: Utilize Classify's monitoring and logging capabilities to track API key usage and detect unusual activity. Set up alerts for suspicious patterns or excessive failed authentication attempts.
  • Strong Authentication for Admin Users: Enforce strong, unique passwords for all Classify administrative accounts. Where available, enable Multi-Factor Authentication (MFA) to add an extra layer of security for UI access.
  • Secure OAuth Redirect URIs: Ensure that all configured Redirect URIs for OAuth 2.0 applications are precise and use HTTPS to prevent interception of authorization codes or tokens.
  • Error Handling: Implement robust error handling in your applications that interact with Classify. Avoid verbose error messages that might accidentally expose sensitive information, especially regarding authentication failures.
  • IP Whitelisting (if available): If Classify offers IP whitelisting for API access, configure it to restrict access to your API keys only from known and trusted IP addresses.
  • Stay Updated: Regularly review the official Classify documentation and security advisories for updates on recommended authentication practices and new security features.