Skip to main content

Authentication

All BEAM® Data API endpoints, both real-time and asynchronous, require a valid API token for access. The token must be provided in the Authorization header, except for GET requests sent from known web browsers, where it is acceptable to pass the token in the access_token query parameter. The API does not offer CORS and is not meant to be consumed directly from web browser clients. If you don't have a server, you can set up a thin proxy for free using Cloudflare Workers.

There are three types of API tokens you can pass to the Data API:

  1. App Access Token - This is your app's secret token that should never leave your server (or serverless) instance. You can access most publicly available data with it. You will have very limited write access on behalf of the app.
  2. User Access Token - This is an OAuth token linked to the user's identity and has access to the user's private information. The access level is determined by you (when requesting permissions) and the user (when granting access to their account to your app) and can include one or more BEAM channels per user token.
  3. User Cookie-derived Token - This is a special short-lived token scoped to the user that you can get by exchanging the user's session cookie obtained by accessing the browser's cookie store. The purpose of this token is for desktop apps that offer BEAM integrations to read important channel and profile information without launching the browser. The scope of access is very restricted but covers the majority of desktop app use cases.

You will learn how to obtain each of these tokens below.

App Access Token

After you are granted access to the Data API (request access on this page), you will see a new app on the My Apps page. On the app details page, you will see the "API Tokens" section, where you'll find your app's publishable and secret tokens.

Further details will be released when the API leaves private beta.

User Access Token

Details will be released when the API leaves private beta.

Details will be released when the API leaves private beta.