Overview

Authorization and context identification

The AI Hub API uses a system of authorization and context identification for all API calls.

OAuth tokens

All API requests to AI Hub require an access token. You can create AI Hub-managed API tokens from the APIs settings page, unless restricted by your organization admin. Enterprise-tier organizations can also configure OAuth providers to use externally managed tokens issued by their OAuth provider.

For AI Hub-managed tokens, authorizing by token grants the same access and permissions that the user or service account who created the token currently has. In other words, if you’re unable to perform an operation in the UI with your current permissions, your API request for the same operation is denied.

For externally managed tokens, authorization is based on the mapped account and token contents:

  • If the token includes a valid scope claim, AI Hub authorizes the request based on the roles defined in that scope.

  • If the token doesn’t include a valid scope claim, AI Hub authorizes the request based on the mapped account’s assigned roles, similar to AI Hub-managed tokens.

AI Hub supports service accounts, AI Hub accounts not tied to a particular user and used only for making API calls. Organization admins can create service accounts and manage their tokens from the organization settings.

Adding AI Hub-managed tokens

Unless restricted by your organization admin, you can add as many tokens as needed. While you can use a single token for all AI Hub API requests, creating multiple tokens can be helpful for organizing third-party access. For example, you might use one token per third-party application, so you can selectively manage and revoke third-party access.

  1. In the header, click the initials icon and select Settings.

  2. Select the APIs tab.

  3. In the AI Hub tokens section, click Create token.

  4. Enter a name and description for the token. Use the description to note the token’s purpose or intended usage.

  5. Select or define a custom expiration date for the token. The default setting is Never expires.

  6. Click Add.

  7. Copy the token.

    After closing the create token dialog, the token’s value is encrypted and can’t be copied again.

Refreshing AI Hub-managed tokens

Refresh a token to update its value.

  1. In the header, click the initials icon and select Settings.

  2. Select the APIs tab.

  3. In the AI Hub tokens table, click the refresh icon Icon of two circling arrows. of the token to refresh.

  4. Select or define a custom expiration date for the token. The default setting is Never expires.

  5. Click Refresh token.

  6. Copy the token. After closing the refresh token dialog, the token’s value is encrypted and can’t be copied again.

Deleting AI Hub-managed tokens

If a token is no longer needed or you wish to revoke the access it grants, delete it.

  1. In the header, click the initials icon and select Settings, then click the APIs tab.

  2. In the AI Hub tokens table, click the delete icon Icon of a trash can. of the token to delete.

  3. Enter the confirmation text and click Delete token.

To delete all tokens, click More above the OAuth tokens table, then select Delete all tokens.

IB-Context header

AI Hub previously offered a type of account called a community account. A user’s community account and organization account could share a user ID and API token, necessitating the use of the IB-Context header in API requests to identify the context of the call. For members with two accounts, the IB-Context header specified which context (account) to use to complete the API request. The context also determines where to find input files and save output files. Requests fail if specified files don’t exist in the defined context.

While community accounts are no longer offered, to avoid errors, always define the IB-Context header. The appropriate header value depends on the account type.

  • Organization accounts — Use your organization ID. If undefined, call might fail.

  • Community accounts (Deprecated) — Use your user ID.

  • Service accounts — Use the organization ID or omit the header (defaults to organization ID).

Finding your user ID

Your user ID is a unique, non-editable identifier tied to your account. It’s created using the email address tied to your account.

  1. In the header, click the initials icon and select Settings.

  2. Select the APIs tab.

  3. Under User ID, click the Copy icon.

Organization admins can copy a service account’s user ID from the service account’s details page. Navigate to Settings > organization name > Service accounts, then select the service account to open its details page.

Finding your organization ID

An organization ID is a unique, non-editable identifier tied to your organization.

  1. In the header, click the initials icon and select Settings.

  2. Select the APIs tab.

  3. Under Organization ID, click the Copy icon.

The organization ID of a service account is the same as for any other organization member. Copy the ID from the service account’s details page. Navigate to Settings > organization name > Service accounts, then select the service account.