search
BlogGithub

Authentication

This document covers the authentication methods for Sling API specifications. For the basic structure, see Structure.

Sling supports several authentication methods, configured under the authentication key.

⚠️ Important: It's best practice to use environment variables or secrets for sensitive values instead of hardcoding them.

hashtag
Managing Secrets and Environment Variables

Sling provides flexible ways to manage sensitive authentication data through environment variables and the env.yaml file. Here's how to configure them:

hashtag
Using the env.yaml File

The primary method for managing secrets is through the env.yaml file located at ~/.sling/env.yaml. When defining API connections, you can specify secrets that will be available to your API specs.

# ~/.sling/env.yaml
connections:
  my_api:
    type: api
    spec: file:///path/to/my_api.spec.yaml
    secrets:
      api_key: "your-secret-api-key"
      client_id: "your-oauth-client-id"
      client_secret: "your-oauth-client-secret"
      username: "your-username"
      password: "your-password"
      
  github_api:
    type: api
    spec: github
    secrets:
      token: "ghp_xxxxxxxxxxxxxxxxxxxx"
      
  stripe_api:
    type: api
    spec: stripe
    secrets:
      api_key: "sk_test_xxxxxxxxxxxxxxxxxxxx"

You'll be able to access the secrets values via the {secrets.var_name} expression.

hashtag
Using Environment Variables

You can also provide secrets via environment variables. In your API spec, use the {env.VARIABLE_NAME} syntax:

hashtag
Authentication Methods

Now that you understand how to manage secrets, here are the different authentication methods you can configure:

hashtag
No Authentication

hashtag
Static Header Authentication

For APIs that require headers for authentication (e.g., API keys, bearer tokens):

This is ideal for:

  • API keys passed in headers (e.g., X-API-Key: your-key)

  • Bearer tokens (e.g., Authorization: Bearer your-token)

  • Custom authentication headers

  • Multiple authentication headers

Examples:

Shorthand Syntax:

When only headers are provided without any other authentication configuration, the type defaults to static:

📝 Note: For dynamic token retrieval (e.g., login flow), use the sequence authentication type instead.

hashtag
Basic Auth

hashtag
OAuth2 Authentication

For OAuth2 flows, use the oauth2 type. Sling supports three OAuth2 flows:

Flow
Use Case
Interactive

client_credentials

Server-to-server, machine-to-machine

No

authorization_code

User-facing apps, browser-based auth

Yes

device_code

CLI tools, headless environments

Yes (on another device)

Full Property Reference:

Token Persistence: Sling automatically stores OAuth tokens in ~/.sling/api/tokens/{connection_name}.json and refreshes them when they expire. You don't need to manage token refresh manually.

PKCE Support: For public clients (when client_secret is empty), Sling automatically enables PKCE (Proof Key for Code Exchange) for added security.

Client Credentials Flow (Server-to-Server):

The most common flow for automated data pipelines. No user interaction required.

Authorization Code Flow (Browser-Based):

For user-interactive authentication. Sling opens a browser for authorization and handles the callback automatically.

Device Code Flow (Headless/CLI):

For environments without a browser. Sling displays a URL and code for the user to enter on another device.

hashtag
AWS Signature V4 Authentication

For AWS services that require Signature V4 authentication (e.g., S3, AppSync, API Gateway):

📝 Note: For AWS authentication, you can use either explicit credentials (aws_access_key_id, aws_secret_access_key) or AWS profiles (aws_profile). The AWS SDK credential chain is also supported.

hashtag
HMAC Authentication

For APIs that require HMAC (Hash-based Message Authentication Code) request signing, such as cryptocurrency exchanges (Kraken, Binance) or custom enterprise APIs:

How HMAC Works:

  1. A signing string is constructed from request components (method, path, timestamp, body hash, etc.)

  2. The string is signed using HMAC-SHA256 or HMAC-SHA512 with your secret key

  3. The signature and related headers are automatically added to each request

Secret Encoding:

Some APIs provide secrets in encoded formats (hex or base64) that must be decoded to raw bytes before signing. Use secret_encoding (v1.5.6+) to specify how to decode the secret:

  • "raw" or "" (default) - Use secret as-is (plain string)

  • "hex" - Decode secret from hexadecimal string to bytes

  • "base64" - Decode secret from base64 string to bytes

Available Variables for Signing:

  • http_method - HTTP method (GET, POST, etc.)

  • http_path - Request path with query parameters

  • http_query - Canonical query string (sorted alphabetically by key)

  • http_headers - Canonical headers (lowercase, sorted, newline-separated)

  • http_body_raw - Raw request body as string

  • http_body_md5 - MD5 hash of request body (hex-encoded)

  • http_body_sha1 - SHA1 hash of request body (hex-encoded)

  • http_body_sha256 - SHA256 hash of request body (hex-encoded)

  • http_body_sha512 - SHA512 hash of request body (hex-encoded)

  • unix_time - Unix timestamp in seconds

  • unix_time_ms - Unix timestamp in milliseconds

  • date_iso - ISO 8601 formatted date (e.g., "2023-10-31T15:30:32Z")

  • date_rfc1123 - RFC 1123 formatted date (e.g., "Tue, 31 Oct 2023 15:30:32 GMT")

  • nonce - Random hex string (if nonce_length is set)

  • signature - Computed HMAC signature (hex-encoded, only available in request_headers)

Example: Kraken-style Authentication

Example: Hex-encoded Secret

Some APIs provide secrets as hex strings that must be decoded before signing:

📝 Note: The signing_string and request_headers templates support all Sling template variables including {secrets.*}, {env.*}, and {state.*}.

hashtag
Sequence Authentication (Custom Workflows)

For APIs requiring a custom authentication sequence (e.g., multi-step login), use the sequence type. This allows defining a series of API calls to obtain authentication tokens or session data.

This performs a login request and extracts the token into state.token for use in subsequent requests. See Requests & Responsesarrow-up-right for more on sequences.

hashtag
Endpoint-Level Authentication

By default, all endpoints use the authentication configured at the spec level. However, individual endpoints can override or disable authentication.

hashtag
Overriding Authentication

An endpoint can specify its own authentication that overrides the spec-level configuration:

hashtag
Disabling Authentication

Some endpoints (like health checks or public data) may not require authentication. Set authentication: null to disable it:

hashtag
Authentication Expiry

The expires property can be used with any authentication type to force re-authentication after a specified number of seconds. This is useful when tokens or sessions have a fixed lifetime.

When authentication expires, Sling automatically re-authenticates before the next request. This happens transparently without interrupting data extraction.

hashtag
Authentication Method Comparison

Method
Best For
Auto-Refresh
Interactive

static

API keys, bearer tokens

N/A

No

basic

Username/password APIs

N/A

No

oauth2

Modern APIs, delegated auth

Yes

Depends on flow

aws-sigv4

AWS services

Yes

No

hmac

Crypto exchanges, signed requests

N/A

No

sequence

Custom auth workflows

No (use expires)

No

PreviousStructureNextRequests & Iteration

Last updated

Was this helpful?