Skip to main content

Authentication

All requests to Inworld’s APIs must include a Runtime API key in an Authorization HTTP header. All APIs supports both Basic and JWT authentication.

Getting an API key

If you need a Runtime API key, follow the following steps:
  1. Log in to Inworld Portal.
  2. Click API Keys on the bottom left sidebar.
  3. Click Generate new key to generate a new API key.
  4. Copy the Basic (Base64) authorization signature.
Get API Key

Basic authentication

Do not expose your Base64 API credentials in client-side code (browsers, apps, game builds), as it may be compromised. Please consider JWT authentication for client-side builds.
Basic authentication uses the Base64 encoded credentials to authenticate the request. Below is an example of the header for Basic authentication: 
Authorization: Basic $INWORLD_RUNTIME_BASE64_CREDENTIALS
Make sure to keep your Base64 credentials safe, as anyone with your credentials can make requests on your behalf. It is recommended that credentials are stored as environment variables and read at run time.

JWT authentication

JWT (JSON Web Token) authentication allows you to issue a signed token from your server that clients can use to securely authenticate with Inworld APIs. This method is strongly recommended when calling APIs from client-side code, to avoid exposing your credentials. How it works:
  1. Your backend securely stores the Inworld Runtime API Key and Secret.
  2. When the client needs to authenticate, it requests a token from your backend.
  3. Your backend uses the API key and secret to generate a signed JWT and returns it to the client.
  4. The client uses this JWT with each API request to Inworld:
Authorization: Bearer $JWT
We recommend taking a look at this sample Node.js application for an example of how to generate JWT tokens for authentication with the Inworld API.