Authentication overview

Authentication for the Open Skills platform ensures that all API requests are authorized and that data remains secure. Developers interact with the Open Skills API to manage skills taxonomies, enrich job descriptions, and perform candidate matching. The platform supports two primary authentication mechanisms: API keys and OAuth 2.0, catering to different integration scenarios and security requirements.

All interactions with the Open Skills API occur over HTTPS, providing encryption in transit to protect sensitive information such as credentials and data payloads. This aligns with industry standards for secure API communication, as detailed by organizations like the World Wide Web Consortium on web security. Proper authentication is critical for maintaining the integrity and confidentiality of skills data, preventing unauthorized access, and ensuring compliance with data protection regulations like GDPR.

Choosing the appropriate authentication method depends on the application's nature. API keys are generally suitable for server-to-server communication where a backend service directly accesses the Open Skills API. OAuth 2.0 is designed for scenarios where an application needs to access Open Skills data on behalf of a user, requiring user consent for delegated authorization.

Supported authentication methods

Open Skills supports two main methods for authenticating API requests:

  • API Keys: A simple, token-based authentication method suitable for server-side applications and scripts.
  • OAuth 2.0: An industry-standard protocol for authorization, ideal for third-party applications or when user consent is required for accessing resources.

API Key authentication

API keys are unique, secret tokens assigned to your Open Skills account. When using an API key, you include it directly in the header of your HTTP requests. This method is straightforward to implement and manage, making it a common choice for backend services and internal tools that do not require user interaction for authorization.

How it works:

  1. Obtain an API key from your Open Skills dashboard.
  2. Include the API key in the Authorization header of your HTTP requests, typically as a Bearer token or a custom header as specified in the Open Skills API reference.
  3. The Open Skills API validates the key with each request to determine access permissions.

API keys grant access to the resources associated with your Open Skills account. Therefore, they must be treated as sensitive credentials and protected from unauthorized exposure.

OAuth 2.0 authentication

OAuth 2.0 is an authorization framework that allows a third-party application to obtain limited access to an HTTP service, either on behalf of a resource owner by orchestrating an approval interaction between the resource owner and the HTTP service, or by allowing the third-party application to obtain access on its own behalf. This protocol is particularly useful for public client applications (e.g., mobile apps, browser-based applications) that cannot securely store credentials.

Open Skills implements OAuth 2.0 to enable applications to request specific permissions from users without exposing user credentials directly to the application. This is a standard approach for delegated authorization, as outlined by the OAuth 2.0 specification.

How it works (typical flow):

  1. Your application redirects the user to the Open Skills authorization server.
  2. The user grants permission for your application to access their Open Skills data.
  3. The authorization server redirects the user back to your application with an authorization code.
  4. Your application exchanges the authorization code for an access token (and optionally a refresh token) with the Open Skills token endpoint.
  5. Your application uses the access token to make authenticated requests to the Open Skills API on behalf of the user.

The specific OAuth 2.0 grant types supported by Open Skills (e.g., Authorization Code Grant, Client Credentials Grant) are detailed in the official Open Skills documentation.

Authentication methods comparison

Method When to Use Security Level
API Key Server-side applications, backend services, scripts, internal tools. Medium (requires careful handling of keys)
OAuth 2.0 Third-party applications, public clients (mobile/web apps), when user consent is required. High (delegated authorization, token expiration)

Getting your credentials

To begin using the Open Skills API, you need to obtain the necessary authentication credentials. The process for acquiring API keys differs from setting up an OAuth 2.0 client application.

Getting an API Key

  1. Sign Up/Log In: Navigate to the Open Skills homepage and either sign up for a new account or log in to your existing one.
  2. Access Dashboard: Once logged in, go to your developer dashboard or account settings.
  3. Generate Key: Look for a section labeled 'API Keys', 'Credentials', or 'Developer Settings'. Follow the instructions to generate a new API key. You may be prompted to provide a name or description for the key to help with organization.
  4. Store Securely: Immediately after generation, copy your API key and store it in a secure location. Open Skills typically displays API keys only once for security reasons, so if you lose it, you may need to generate a new one.

Refer to the Open Skills documentation for precise steps on API key generation and management within your account.

Setting up OAuth 2.0 credentials

Setting up OAuth 2.0 involves registering your application with Open Skills to obtain client credentials (Client ID and Client Secret).

  1. Register Application: In your Open Skills dashboard, locate the 'Applications' or 'OAuth Clients' section.
  2. Provide Details: Register a new application. You will typically need to provide:
    • Application Name: A user-friendly name for your application.
    • Redirect URIs (Callback URLs): The URL(s) where Open Skills will redirect users after they grant or deny permission. These must be precise and match the URLs configured in your application.
    • Application Type: (e.g., Web Application, Mobile Application, Native Application).
  3. Obtain Client ID and Secret: Upon successful registration, Open Skills will provide you with a Client ID and a Client Secret. The Client ID is public, but the Client Secret is confidential and must be protected like an API key.
  4. Configure Scopes: Define the necessary API scopes (permissions) that your application will request from users. Scopes limit the access an application has to a user's data.

Detailed instructions, including specific endpoints for authorization and token exchange, are available in the Open Skills developer documentation.

Authenticated request example

This example demonstrates how to make an authenticated request to the Open Skills API using an API key in Python. The principle applies across other languages and SDKs, where the API key is passed in the Authorization header.


import requests
import os

# Replace with your actual Open Skills API Key
OPEN_SKILLS_API_KEY = os.environ.get("OPEN_SKILLS_API_KEY", "YOUR_OPEN_SKILLS_API_KEY")

# Define the API endpoint for skills lookup
API_ENDPOINT = "https://api.openskill.sh/v1/skills/search"

# Define the headers, including the Authorization header with your API key
headers = {
    "Authorization": f"Bearer {OPEN_SKILLS_API_KEY}",
    "Content-Type": "application/json"
}

# Define the payload for the request (example: searching for 'Python')
payload = {
    "query": "Python",
    "limit": 5
}

try:
    # Make the POST request to the API
    response = requests.post(API_ENDPOINT, headers=headers, json=payload)

    # Raise an exception for HTTP errors
    response.raise_for_status()

    # Parse and print the JSON response
    data = response.json()
    print("Successfully authenticated and retrieved data:")
    for skill in data.get("skills", []):
        print(f"- {skill.get('name')} (ID: {skill.get('id')})")

except requests.exceptions.HTTPError as http_err:
    print(f"HTTP error occurred: {http_err} - {response.text}")
except Exception as err:
    print(f"An error occurred: {err}")

This Python example uses the requests library to send a POST request. The API key is securely retrieved from an environment variable (or a placeholder in this example) and included in the Authorization header as a Bearer token. This is the standard practice for authenticating with API keys for Open Skills.

For examples in TypeScript, Go, or Ruby, refer to the respective Open Skills SDK documentation or the comprehensive API reference.

Security best practices

Adhering to security best practices when handling Open Skills credentials is essential to protect your applications and data.

API Key management

  • Never hardcode API keys: Avoid embedding API keys directly in your source code. Use environment variables, configuration files, or secret management services (e.g., AWS Secrets Manager, Google Secret Manager) to store and retrieve keys.
  • Restrict access: Limit who has access to your API keys. Only authorized personnel and systems should be able to retrieve or use them.
  • Rotate keys regularly: Periodically generate new API keys and revoke old ones. This minimizes the impact if a key is compromised.
  • Use IP whitelisting: If supported by Open Skills, configure your API keys to only accept requests from a predefined list of IP addresses. This adds an extra layer of security.
  • Monitor API usage: Regularly review API logs and usage patterns for any unusual activity that might indicate a compromised key.

OAuth 2.0 best practices

  • Protect Client Secrets: Treat your OAuth Client Secret with the same care as an API key. For public clients (e.g., mobile apps, single-page applications), the Client Secret should not be used as it cannot be kept confidential.
  • Use HTTPS for Redirect URIs: Ensure all your Redirect URIs use HTTPS to prevent interception of authorization codes and tokens.
  • Validate State Parameter: Implement the state parameter in OAuth 2.0 flows to prevent Cross-Site Request Forgery (CSRF) attacks. The state parameter should be a randomly generated, unguessable value associated with the user's session.
  • Limit Scopes: Request only the minimum necessary permissions (scopes) from users. Over-permissioning increases the risk if your application is compromised.
  • Secure Token Storage: Access tokens and refresh tokens should be stored securely. For web applications, avoid storing tokens in local storage; use HTTP-only cookies or server-side sessions.
  • Implement Token Refresh: Use refresh tokens to obtain new access tokens without requiring the user to re-authenticate, but ensure refresh tokens are also securely stored and managed.

General security practices

  • Encrypt data in transit: Always use HTTPS/TLS for all communication with the Open Skills API to encrypt data between your application and the API endpoints. Open Skills enforces HTTPS for all API calls.
  • Input validation: Validate all input sent to the Open Skills API to prevent injection attacks and ensure data integrity.
  • Error handling: Implement robust error handling without exposing sensitive information in error messages to clients.
  • Stay updated: Keep your SDKs, libraries, and application dependencies up to date to benefit from the latest security patches.
  • Review documentation: Regularly consult the Open Skills documentation for any updates to security recommendations or authentication methods.