Authentication and API keys

The Point11 API uses OAuth 2.0 bearer tokens for authentication. Every request to the API must include a valid access token in the Authorization header. This guide covers how to obtain tokens, manage API keys, and implement secure authentication in your integrations.

Authentication Overview

Point11 supports two authentication flows depending on your use case:

• OAuth 2.0 Client Credentials: For server-to-server integrations where no user context is needed. Your application exchanges a client ID and client secret for an access token.
• OAuth 2.0 Authorization Code with PKCE: For applications that act on behalf of a specific Point11 user. The user authorizes your application through a browser-based consent flow.

All API requests must include the access token as a Bearer token in the Authorization header:

Authorization: Bearer eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9...

Requests without a valid token receive a 401 Unauthorized response. Requests with a valid token but insufficient permissions receive a 403 Forbidden response.

Obtaining Access Tokens

Client Credentials Flow

Send a POST request to the token endpoint with your client credentials:

POST https://api.point11.com/oauth/token

grant_type=client_credentials &client_id=your_client_id &client_secret=your_client_secret &scope=audits:read analytics:read `

The response contains an access token and its expiration time:

json{
  "access_token": "eyJhbGciOiJSUzI1NiIs...",
  "token_type": "Bearer",
  "expires_in": 3600,
  "scope": "audits:read analytics:read"
}

Access tokens expire after 1 hour (3600 seconds). Your application must request a new token before the current one expires. Implement token caching to avoid requesting a new token for every API call.

Authorization Code Flow with PKCE

For user-context applications, redirect the user to the authorization endpoint, receive an authorization code on callback, and exchange it for an access token. PKCE (Proof Key for Code Exchange) is required for all authorization code flows to prevent code interception attacks. Refer to the OAuth 2.0 specification (RFC 6749) and PKCE extension (RFC 7636) for implementation details.

API Keys

API keys provide a simpler authentication mechanism for development, testing, and low-risk integrations. Generate API keys from the Point11 dashboard under Settings > API Keys.

Key Types

• Live keys: Access production data. Prefixed with p11_live_.
• Test keys: Access sandbox data only. Prefixed with p11_test_. Test keys cannot modify production resources.

Key Management Best Practices

• Rotate API keys every 90 days. Point11 supports overlapping key validity periods to enable zero-downtime rotation.
• Store keys in environment variables or a secrets manager (AWS Secrets Manager, HashiCorp Vault, GCP Secret Manager). Never hardcode keys in source code or commit them to version control.
• Apply the principle of least privilege. Assign only the scopes your integration requires.
• Monitor key usage in the Point11 dashboard. Revoke keys immediately if compromised.

Rate Limiting

The Point11 API enforces rate limits to ensure fair usage and platform stability:

• Standard tier: 100 requests per minute per API key.
• Professional tier: 500 requests per minute per API key.
• Enterprise tier: 2,000 requests per minute per API key. Custom limits available on request.

Rate limit headers are included in every response:

X-RateLimit-Limit: 500
X-RateLimit-Remaining: 487
X-RateLimit-Reset: 1706140800

When you exceed the rate limit, the API returns a 429 Too Many Requests response with a Retry-After header indicating how many seconds to wait before retrying.

Security Recommendations

• Always use HTTPS. The API does not accept unencrypted HTTP connections.
• Validate TLS certificates in your HTTP client. Do not disable certificate verification.
• Implement token refresh logic to handle expired tokens gracefully without user-facing errors.
• Log authentication failures and monitor for brute-force patterns.

Sources

• OAuth 2.0 Authorization Framework (RFC 6749): https://datatracker.ietf.org/doc/html/rfc6749
• Proof Key for Code Exchange — PKCE (RFC 7636): https://datatracker.ietf.org/doc/html/rfc7636
• OAuth 2.0 Bearer Token Usage (RFC 6750): https://datatracker.ietf.org/doc/html/rfc6750
• OWASP Authentication Cheat Sheet: https://cheatsheetseries.owasp.org/cheatsheets/Authentication_Cheat_Sheet.html