Authentication overview

Pipedream provides a platform for connecting APIs and building serverless workflows, which necessitates robust authentication mechanisms for both accessing the Pipedream API itself and for securely integrating with external services. The platform distinguishes between authenticating requests to the Pipedream API and authenticating from Pipedream to third-party APIs. For direct interaction with the Pipedream API, such as programmatically managing workflows or retrieving event data, personal API keys are the primary method. These keys grant access to a user's account and resources within Pipedream.

When Pipedream workflows interact with external APIs, the platform supports a range of authentication methods, often abstracted through its pre-built actions and integrations. This approach aims to simplify the process for developers, allowing them to focus on workflow logic rather than the intricacies of each API's authentication scheme. Pipedream securely stores and manages credentials for connected accounts, ensuring that sensitive information is not exposed in workflow code or logs. The platform's security posture, including compliance with SOC 2 Type II standards, underpins its approach to handling sensitive authentication data.

Supported authentication methods

Pipedream supports various authentication methods, depending on whether the interaction is with the Pipedream API or with a third-party service integrated into a Pipedream workflow. The choice of method often depends on the specific API being accessed and the level of security and authorization required.

For the Pipedream API

  • Personal API Keys: These are long-lived tokens generated within the Pipedream dashboard. They are used to authenticate programmatic access to a user's Pipedream account, enabling actions such as deploying workflows, managing sources, or retrieving event data via the Pipedream REST API. API keys provide full access to the associated account's resources, making their secure handling critical.

For Third-Party Services (within workflows)

Pipedream's pre-built actions and custom code steps can integrate with a wide array of external services, each with its own authentication requirements. Pipedream abstracts many of these, allowing users to connect accounts through a UI.

  • OAuth 2.0: This is a widely adopted authorization framework that Pipedream leverages for many popular integrations like Google, Salesforce, and Stripe. OAuth 2.0 allows users to grant Pipedream access to their data on a third-party service without sharing their actual credentials. Pipedream manages the token exchange and refresh process, ensuring continuous authorized access. For a general understanding of OAuth 2.0 flows, refer to the OAuth 2.0 specification overview.
  • API Keys: Many services use simple API keys for authentication. Pipedream allows users to securely store these keys as environment variables or connection secrets, which can then be accessed within workflow code or pre-built actions. Examples include Stripe's API keys for payment processing or Twilio's Account SID and Auth Token for messaging services.
  • Basic Authentication: Some legacy or simpler APIs use Basic Auth, where a username and password (often Base64 encoded) are sent with each request. Pipedream supports this through custom HTTP requests or specific actions that configure Basic Auth headers.
  • Bearer Tokens (e.g., JWTs): Similar to API keys, Bearer tokens are often used in the Authorization: Bearer <token> header. These can be securely stored and passed in HTTP requests within Pipedream workflows.
  • Custom Authentication: For services with unique or complex authentication flows not covered by standard methods, Pipedream's code steps (Node.js or Python) allow developers to implement custom authentication logic. This might involve generating signatures, handling specific challenge-response mechanisms, or integrating with enterprise identity providers.

The following table summarizes common authentication methods supported for integrations:

Method When to Use Security Level
Personal API Key (Pipedream API) Programmatic access to Pipedream account and resources. High (if securely managed). Grants broad access.
OAuth 2.0 (Third-Party) Connecting to major services (Google, Stripe, Salesforce, etc.) where granular permissions are needed without sharing credentials. High. Token-based, often with scope control and refresh mechanisms.
API Key (Third-Party) Integrating with services that rely on static keys for authentication (e.g., Twilio, Mailgun). Medium to High. Security depends on key secrecy and API key rotation policies.
Basic Authentication (Third-Party) Interacting with APIs that use username/password in HTTP headers. Medium. Less secure than OAuth or API keys if not transmitted over HTTPS.
Bearer Token (Third-Party) Using JWTs or other short-lived tokens for authorization. High. Often used post-authentication for session management or scoped access.

Getting your credentials

Pipedream Personal API Key

To obtain a Personal API Key for accessing the Pipedream API:

  1. Log in to your Pipedream account.
  2. Navigate to the Settings section.
  3. Locate the API Keys tab.
  4. Generate a new API key. Ensure you copy and store it securely immediately, as it will only be shown once.

This key should be treated as sensitive as your account password.

Third-Party Service Credentials

For connecting Pipedream to third-party services, the process varies:

  • OAuth 2.0 Connections: When adding an action or source that uses OAuth, Pipedream will typically prompt you to connect a new account. This redirects you to the third-party service's authorization page (e.g., Google's OAuth 2.0 playground for Google services), where you grant Pipedream the necessary permissions. Pipedream then handles the token exchange and storage.
  • API Keys/Tokens/Basic Auth: For services requiring direct API keys, tokens, or username/password, you will typically retrieve these from the respective service's developer dashboard or account settings. For example, Stripe API keys are found in the Stripe Dashboard under 'Developers > API keys'. Once obtained, you can either enter them directly when configuring a Pipedream action or store them as Pipedream secrets for use in custom code steps.

Authenticated request example

Pipedream API with Personal API Key

To interact with the Pipedream API using your Personal API Key, you typically include it in the Authorization header as a Bearer token. This example demonstrates fetching a list of your Pipedream workflows using curl:

curl -X GET \
  'https://api.pipedream.com/v1/workflows' \
  -H 'Authorization: Bearer YOUR_PIPEDREAM_API_KEY' \
  -H 'Content-Type: application/json'

Replace YOUR_PIPEDREAM_API_KEY with your actual Pipedream Personal API Key.

Third-Party API within a Pipedream Workflow (Node.js example using an API Key)

This Node.js example within a Pipedream code step demonstrates making an authenticated request to a hypothetical third-party API that uses an API key, stored as a Pipedream secret named MY_SERVICE_API_KEY. This secret is accessed via process.env.

import axios from 'axios';

export default defineComponent({
  async run({ steps, $ }) {
    const apiKey = process.env.MY_SERVICE_API_KEY; // Accessing a securely stored Pipedream secret
    if (!apiKey) {
      throw new Error("MY_SERVICE_API_KEY environment variable is not set.");
    }

    const response = await axios.get('https://api.example.com/data', {
      headers: {
        'Authorization': `Bearer ${apiKey}`,
        'Content-Type': 'application/json',
      },
    });

    console.log('API Response:', response.data);
    return response.data;
  },
});

In this example, MY_SERVICE_API_KEY would be configured as an environment variable secret in your Pipedream workflow settings, ensuring the key is not hardcoded in your workflow logic.

Security best practices

Adhering to security best practices is essential when managing authentication credentials within Pipedream workflows to protect your data and prevent unauthorized access.

  • Never hardcode credentials: Avoid embedding API keys, tokens, or passwords directly into your workflow code. Instead, use Pipedream's secret environment variables. These values are encrypted at rest and masked in logs and the UI, significantly reducing exposure risk.
  • Use least privilege: When granting permissions, whether for your Pipedream API Key or for third-party OAuth connections, ensure that the granted access is limited to only what is necessary for the workflow to function. For instance, if a workflow only needs to read data, do not grant write or delete permissions.
  • Rotate API keys and tokens regularly: Periodically change your Pipedream Personal API Keys and any third-party API keys. This practice minimizes the window of opportunity for a compromised key to be exploited. Many services, like AWS, recommend regular key rotation.
  • Monitor access and logs: Regularly review Pipedream's execution logs and any audit logs provided by integrated third-party services. Unusual access patterns or failed authentication attempts can indicate a security issue.
  • Secure your Pipedream account: Enable multi-factor authentication (MFA) on your Pipedream account to add an extra layer of security against unauthorized access to your workflows and credentials.
  • Understand OAuth scopes: When connecting services via OAuth, carefully review the requested scopes. Ensure that the permissions Pipedream requests align with the functionality your workflow requires. Granting overly broad scopes can increase potential risk if the connection is compromised.
  • Validate webhooks: If your Pipedream workflow acts as a webhook receiver, implement signature verification where supported (e.g., Twilio's webhook security). This confirms that incoming requests originate from the expected source and haven't been tampered with.
  • Review and revoke unused credentials: Periodically audit your connected accounts and API keys. Revoke access for any credentials that are no longer in use or associated with inactive workflows.