Every call made to the LUSID API must be authorised by an API access token.
Note: The recommended and most secure option is to obtain a short-lived OAuth2.0-compliant token from LUSID’s identity provider, Okta, on demand.
There may be scenarios where this is not possible, for example if your system does not support Open ID Connect authentication flows. You can create a long-lived personal access token within LUSID and use this to call the API instead.
Note the following:
- A personal access token inherits the roles and policies of the user who creates it, so we recommend signing in to LUSID as the user for whom the token is intended.
- LUSID generates a personal access token but does not store it. The token is displayed once, and you are expected to store it securely in your own repository. There is no MFA, so if a personal access token leaks then a third party can freely impersonate your LUSID user.
- Deleting a user account immediately and permanently revokes all the personal access tokens created for that user.