There are two authentication methods for APIs:

  • Bearer Token (recommended)
  • HTTP Basic authentication (RFC 7617)

Both methods use information associated with a user profile: the username/password in the case of HTTP Basic authentication, or an API authentication token generated on demand by Cantook Hub.

Users already logged into the Cantook Hub administration site can access the APIs without having to log in again, as long as they are within the same browser session. Multi-factor authentication is not used to access the APIs.

Authentication token

The authentication token is a multi-character, alphanumeric key generated by a online service. This key must be stored securely, and can be used during an API request to authenticate to the service. In Cantook Hub, the authentication token is associated with a user account. Users are the only ones able to manage their own tokens. Only one authentication token is valid at a time, but it can be used multiple times.

An API request using an authentication token must be made with a Bearer Token authentication. Authentication by token is faster than HTTP Basic authentication and just as secure, while avoiding the need to manage a username/password pair in a third-party system. 

Generating an authentication token

  1. Log in to Cantook Hub.
  2. Click on Profile in the top menu bar.
  3. Under the Users > User list tab, click on the pencil icon to the right of your username.
  4. Select the Security tab. 
  5. Under the Authentication token for APIs section, click on the Generate authentication token button. The new token is displayed, in bold, in a green box at the top of the screen.
  6. Copy this character string and use it for authentication in your API integration.


  • Keep this token in a safe place on a device other than the one you use to access the digital warehouse (computer and/or mobile device). This token must remain accessible in the event of loss, damage or theft of your usual equipment. 
  • Only one authentication token is valid at a time. Any token therefore becomes unusable as soon as a new token is generated.