API Authentication

Admin and Management
  • Updated on Oct 27, 2025
  • Published on Oct 20, 2025
  • 4 minute(s) read
Prev Next

This page outlines the authentication method required to make requests to the Thrive API.

Basic Authentication

To use the Thrive API, you must first authenticate. We use Basic Authentication, which consists of a username and a password.

  • Username: This is your tenant-id, a unique identifier for you as a customer. To obtain your tenant-id, contact our Support Team.

  • Password: This is your API key (api_key) that you must first generate.

We highly recommend storing your API key securely in a secrets or password manager.

Important

We highly recommend storing your API key securely in a secrets or password manager.

Important Security Information

Please note the following critical security details:

  • Environment Specificity: The tenant-id for your live site will be different from your staging site. You will need both to properly test your integration against staging.

  • Multi-Domain: If you have multiple domains configured, the tenant-id will be unique for each domain across both live and staging environments.

  • Security: You must not share API key(s) with anyone who doesn't need to know. Sharing keys may allow access to sensitive organisational data.

  • Code Safety: Ensure your API key is not included in code repositories (like GitHub or BitBucket), publicly accessible code, or application logs.

  • Protocol: All API requests must be made over HTTPS. Requests sent over HTTP will fail.

Generating an API key

The process for generating your API key requires administrative access to your Thrive site. Only site Administrators can generate the required tokens.

Step 1

In order to generate your API key you will need to obtain an authorisation bearer token and a correlation ID Both of these are required for the API request you’ll make to generate your API key. We recommend you complete this step using the Google Chrome browser.

  1. Log in to your Thrive site (either staging or live) as an Administrator.

  2. On any page, press the F12 key to open the Developer Tools (or right-click and select Inspect).

  3. Select the Network tab in the Developer Tools panel.

  4. With the Developer Tools still open, navigate to a new page within your Thrive site.

  5. In the Network traffic list, apply a filter for content and click on any of the resulting fetch items to open the request details.

  6. In the Headers section, scroll down to the Request Headers. You will find the values for Authorization and X-Correlation-Id.

  7. Copy both of these values and store them for Step 2.

    Important:

    When copying the Authorization value, you must copy the entire string, including the word Bearer.

Step 2

The temporary credentials retrieved in Step 1 are used to authenticate a request against our GraphQL service to create your permanent API key.

  • Endpoint: https://tenant.api.learn.link/tenants

  • Method: POST

  • Body (GraphQL Mutation): The request body must contain a GraphQL mutation query.

Below are code examples for making this request.

cURL

curl -X POST "https://tenant.api.learn.link/tenants" \
  -H "Authorization: Bearer YOUR_TOKEN" \
  -H "Content-Type: application/json" \
  -H "X-Correlation-ID: 00000000-0000-0000-0000-000000000000" \
  -d '{"query":"mutation { generateApiKey(tokenType: \"permanent\", services: [\"api-service\"]) { validUntil apiKey } }"}'

Node.js (Using Axios)

import axios from "axios";

const query = `
mutation {
  generateApiKey(tokenType: "permanent", services: ["api-service"]) {
    validUntil
    apiKey
  }
}
`;

const response = await axios.post(
  "https://tenant.api.learn.link/tenants",
  { query },
  {
    headers: {
      Authorization: "Bearer YOUR_TOKEN",
      "Content-Type": "application/json",
      "X-Correlation-ID": "00000000-0000-0000-0000-000000000000"
    },
  }
);

console.log(response.data);

Python (Using Requests)

import requests

url = "https://tenant.api.learn.link/tenants"
headers = {
    "Authorization": "Bearer YOUR_TOKEN",
    "Content-Type": "application/json",
    "X-Correlation-ID": "00000000-0000-0000-0000-000000000000"
}
query = """
mutation {
  generateApiKey(tokenType: "permanent", services: ["api-service"]) {
    validUntil
    apiKey
  }
}
"""

response = requests.post(url, json={"query": query}, headers=headers)
print(response.json())

Java (Using HttpClient)

import java.net.http.*;
import java.net.URI;

String json = "{\"query\":\"mutation { generateApiKey(tokenType: \\\"permanent\\\", services: [\\\"api-service\\\"]) { validUntil apiKey } }\"}";

HttpRequest request = HttpRequest.newBuilder()
    .uri(URI.create("https://tenant.api.learn.link/tenants"))
    .header("Authorization", "Bearer YOUR_TOKEN")
    .header("Content-Type", "application/json")
    .header("X-Correlation-ID", "00000000-0000-0000-0000-000000000000")
    .POST(HttpRequest.BodyPublishers.ofString(json))
    .build();

HttpResponse<String> response = HttpClient.newHttpClient()
    .send(request, HttpResponse.BodyHandlers.ofString());

System.out.println(response.body());

Successful Response

A successful response will contain your new permanent API key:

{
    "data": {
        "generateApiKey": {
            "validUntil": "2120-02-11T11:11:00.000Z",
            "apiKey": "00000000000000000000000000000"
        }
    }
}

Making Your First API Call

Once you have your tenant-id from our Support team and the API key you've created, you're ready to make your first API call.

As mentioned above, Thrive uses basic authentication where your tenant-id is your username and your API key is your password. An example of how this is set up in Postman is shown below:

See More

The specifications for our other APIs can be found using the links below, or by navigating to them from the menu on the left hand side of this page: