Authentication overview

The monday.com API uses authentication to verify the identity of a client making requests and to ensure that the client has the necessary permissions to access or modify monday.com resources. The API is built on GraphQL, which enables flexible data querying and manipulation once authenticated. Proper authentication is a prerequisite for all interactions with the monday.com API, encompassing operations such as creating items, querying boards, updating users, or managing workspaces. The core authentication mechanisms facilitate secure communication, protecting both user data and system integrity.

Developers typically choose between Personal Access Tokens (PATs) for scripting and internal tools, and OAuth 2.0 for public or privately published applications that require user consent and a more robust authorization flow. The choice of authentication method depends on the application's scope, its audience, and the desired level of security and user interaction.

Supported authentication methods

monday.com API supports two primary authentication methods, each designed for different use cases and security requirements.

1. Personal Access Tokens (PATs)

  • Description: PATs are long-lived tokens generated by a monday.com user within their account settings. They grant access to the API on behalf of that user. PATs are typically used for personal scripts, internal integrations, or server-side applications where direct user interaction for authentication is not feasible or desired.
  • Security Considerations: PATs provide full access to the resources the generating user has permissions for. They should be treated like passwords and kept confidential. If compromised, a PAT could grant unauthorized access to a significant portion of a monday.com account.

2. OAuth 2.0

  • Description: OAuth 2.0 is an industry-standard protocol for authorization that allows third-party applications to obtain limited access to an HTTP service, either on behalf of a resource owner by orchestrating an approval interaction between the resource owner and the HTTP service, or by allowing the third-party application to obtain access on its own behalf. For monday.com API, OAuth 2.0 is used for applications built for the monday.com Apps Marketplace or for custom integrations that need to access multiple user accounts while respecting user-granted permissions. The monday.com documentation describes the OAuth 2.0 flow for app development, including the use of scopes to define specific permissions.
  • Security Considerations: OAuth 2.0 enhances security by not requiring the application to handle user credentials directly and by providing granular control over permissions through scopes. The access tokens issued through OAuth 2.0 are typically short-lived and can be refreshed using a refresh token, further reducing the risk of long-term unauthorized access if an access token is compromised. More information on the OAuth 2.0 framework can be found in the IETF RFC 6749 specification for OAuth 2.0.

Authentication methods comparison

Method When to use Security Level
Personal Access Tokens (PATs) Personal scripts, internal tools, server-side integrations without user interaction. Moderate (requires careful handling, full access based on user permissions).
OAuth 2.0 Public applications, monday.com Apps Marketplace, integrations requiring user consent and granular permissions across multiple accounts. High (user-granted permissions, short-lived access tokens, no direct credential handling).

Getting your credentials

The process for obtaining credentials varies depending on the chosen authentication method.

For Personal Access Tokens:

  1. Log in to your monday.com account.
  2. Navigate to your user avatar in the bottom left corner and click on it.
  3. Select Developers from the menu.
  4. Go to the My Access Tokens section.
  5. Generate a new token or copy an existing one.

Detailed instructions, including managing and revoking tokens, are available in the monday.com API authentication documentation.

For OAuth 2.0:

To implement OAuth 2.0, you will need to register your application within monday.com's developer platform. This involves:

  1. Creating a new app in the monday.com developer section.
  2. Configuring your app's details, including a redirect URI (callback URL) where monday.com will send the authorization code after successful user consent.
  3. Obtaining a Client ID and Client Secret for your application. These credentials are used to identify your application and securely exchange the authorization code for an access token.
  4. Defining the necessary scopes that your application requires, which dictate the permissions it will request from the user.

The OAuth 2.0 flow typically involves:

  • Redirecting the user to monday.com's authorization endpoint.
  • The user granting (or denying) permission to your application.
  • monday.com redirecting the user back to your specified redirect URI with an authorization code.
  • Your application exchanging this authorization code for an access token (and optionally a refresh token) using your Client ID and Client Secret.

For a comprehensive guide on setting up and implementing OAuth 2.0, refer to the monday.com OAuth 2.0 documentation.

Authenticated request example

Once you have obtained a Personal Access Token, you can include it in your API requests using the Authorization header. Here's an example using curl to query for the current user's details:

curl -X POST \
  -H 'Content-Type: application/json' \
  -H 'Authorization: YOUR_PERSONAL_ACCESS_TOKEN' \
  --data '{"query": "query { me { name email } }"}' \
  https://api.monday.com/v2

Replace YOUR_PERSONAL_ACCESS_TOKEN with your actual token. The API endpoint for monday.com's GraphQL API is https://api.monday.com/v2. The query field in the JSON payload contains the GraphQL query string.

For OAuth 2.0, after successfully completing the authorization flow and obtaining an access token, you would use it in a similar fashion:

curl -X POST \
  -H 'Content-Type: application/json' \
  -H 'Authorization: Bearer YOUR_OAUTH_ACCESS_TOKEN' \
  --data '{"query": "query { me { name email } }"}' \
  https://api.monday.com/v2

Note the Bearer prefix for OAuth 2.0 access tokens, as specified by the IETF RFC 6750 Bearer Token Usage specification.

Security best practices

Adhering to security best practices is crucial when integrating with the monday.com API to protect sensitive data and maintain system integrity.

  • Protect Personal Access Tokens (PATs): Treat PATs like passwords. Avoid hardcoding them directly into your application code. Use environment variables, secure configuration files, or secret management services (e.g., AWS Secrets Manager, Google Secret Manager) to store and retrieve tokens securely. Rotate PATs regularly. If a PAT is compromised or no longer needed, revoke it immediately from your monday.com developer settings.
  • Implement OAuth 2.0 Securely:
    • Client Secret Protection: Your OAuth 2.0 Client Secret must be kept confidential. Never expose it in client-side code (e.g., JavaScript in a browser). It should only be used server-side when exchanging an authorization code for an access token.
    • Redirect URI Validation: Always use precise and secure redirect URIs (HTTPS) and validate them strictly to prevent redirection attacks.
    • State Parameter: Implement the state parameter in your OAuth 2.0 authorization requests to mitigate Cross-Site Request Forgery (CSRF) attacks. The state parameter should be a randomly generated, opaque value that you store securely and verify upon receiving the callback.
    • Token Management: Store access and refresh tokens securely. Access tokens are typically short-lived and should be refreshed using refresh tokens. Implement proper error handling for expired or revoked tokens.
    • Scope Minimization: Request only the minimum necessary scopes for your application's functionality. This limits the potential damage if an access token is compromised.
  • Use HTTPS: All communication with the monday.com API must occur over HTTPS to ensure that data is encrypted in transit and protected from eavesdropping and tampering. The monday.com API inherently enforces HTTPS for all endpoints.
  • Error Handling and Logging: Implement robust error handling for API requests and log authentication failures. This helps in identifying potential security incidents or misconfigurations. However, be cautious not to log sensitive information like tokens or credentials.
  • Regular Security Audits: Periodically review your integration's security posture, including how credentials are stored, transmitted, and used. Stay informed about security updates and best practices from monday.com and the wider API security community.