In order to make requests to the Attio REST API, you need to generate an access token.

There are two ways to generate an access token:

  1. By implementing an OAuth 2.0 flow
  2. By generating an API key for your workspace

You should prefer the OAuth 2.0 flow if building an app for multiple workspaces. If you are building an app for a single workspace, you can manually generate an API key to make requests on behalf of that workspace only.

Generating access tokens

OAuth 2.0

Attio implements the standard OAuth 2.0 specification. You can find the reference for our OAuth authorize, token exchange and introspect endpoints here.

If you would prefer a tutorial on how to implement an OAuth 2.0 flow into an existing app, you can find one here.

API key

If you only need a token for a single workspace, you can generate an API key in the developer settings page of your apps. You can find docs on to do this here.

Using tokens

Both OAuth access tokens and single-workspace access token are used in the same way. Pass the value of the token in the Authorization header of your requests like so.

Authorization: Bearer <access_token>

We also support HTTP Basic Authentication, where the username is the token and the password is left blank. However, we recommend using Bearer authentication where possible.

Scopes

Both OAuth access tokens and single-workspace access tokens use scopes to control the resources that the token has access to and the actions that can be performed on those resources.

The possible scopes for OAuth and single-workspace access tokens are the same.

The reference documentation for each endpoint includes a “Required scopes” section that lists the scopes needed to call that endpoint.

When using an OAuth access token, the scopes are specified by configuring the scope settings for your app in the developer dashboard.

When using a single-workspace access token, the scopes are specified in the settings UI when generating the token. Scopes for single-workspace access tokens can also be modified on existing tokens.