FME Version
Introduction
APIs often need authentication to control who can access different types of data. With FME Flow, you can choose how to secure your Data Virtualization APIs. Options include API tokens, basic authentication, or leaving endpoints open for public use. This flexibility lets you protect sensitive data while still making public info easy to share.
Authentication in Data Virtualization
Securing your endpoints is an important part of API design. In FME Flow, Data Virtualization API security is handled separately from the standard user and item permissions.
You can control access at two levels: for the whole API or for specific endpoints. That means that, within the same API, some endpoints may be public and others restricted.
You can give access to a specific user or to a role. If you assign per role, everyone in that role can access the endpoint. If you assign it to per individual user, only that user can access the endpoint.
Keep in mind that a user might get access through both their role and their personal account. So if you ever need to remove someone’s access, make sure to check both.
There are two primary authentication approaches for integrations, each with options for placement:
- Basic authentication means sending a username and password in the request header.
- API token authentication means including a token in either the request header or as a query parameter.
| Authentication Type | Placement | Configuration |
| Basic | Header | Authorization: Basic <base64-encoded "username:password"> |
| Token | Header | Authorization: fmetoken token=<API-token> |
| Token | Query Parameter | fmetoken=<API-token> |
Data Virtualization is currently in technical preview within the 2025.1 beta and should not be used for production. Note that documentation may change rapidly and not reflect the current build. This article was written with FME 2025.1 b25562.
Learning Objectives
After completing this lesson, you’ll be able to:
- Create an API token for a Data Virtualization API
- Make an authenticated request using an API token
- Make an authenticated request using basic authentication
- Disable security settings for a single endpoint
Scenarios
In the previous exercise, you created a manual endpoint to show basic info about the EnvironData API. Now you'll learn how to manage authentication for Data Virtualization endpoints.
The EnvironData team starts by using an API token to secure access.
Later, they decide the GET /about endpoint should be public so users can access general information without logging in. This keeps sensitive data protected while allowing open access to low-risk content.
Create an API Token in FME Flow
API tokens work differently in Data Virtualization APIs than in other parts of FME Flow, like Flow Apps or webhooks.
For Flow Apps, you can limit a token to specific items when you create it. For example, this token is authorized to run a Flow app, called “CountryCity”:
But for Data Virtualization APIs, API token access isn't controlled in the same way. Item-level permissions don’t apply. For example, this token would NOT authorize requests to the Wildfire API endpoints:
The above token would only give access to view and edit the API configuration in FME Flow, which wouldn’t be useful for an integration.
Instead, endpoint authorization is determined entirely by the user who creates the token. If that user has been granted access to an endpoint, either directly or through an assigned role, any tokens they create will automatically inherit that access.
To limit token access to a specific API or endpoint, use the following approach:
- Create a dedicated user account with no additional item permissions
- Grant that user access through the Data Virtualization API’s endpoint security settings
- Sign into that user account to generate API tokens
This makes sure the token can only access the specific API or endpoint it’s meant for.
We will now create an API token in order to demonstrate making an authenticated request.
In FME Flow, click on the User Settings icon in the top-right corner to open the drop-down menu, then click Manage Tokens.
On the Token Management page, select Create.
Configure a token to use with Data Virtualization API testing.
| Token Name | EnvironToken |
| Description | Enable API requests to EnvironData |
| Enabled | Yes |
| Expiration | Default |
| All Permissions | Yes |
Review the configuration and click Save to create the token.
On the confirmation page, click Download Token to save a copy of the token information as a text file to your local machine.
Note: This is the only time the full token value will be visible. If you do not download the file or copy the token now, you will need to repeat the process to generate a new API token.
Authenticate a Request From a Browser Using an API Token in a Query String Parameter
Next, we test the token in an API request to the GET /about endpoint. In order to get the endpoint URL, navigate to the EnvironData Swagger documentation.
If you make a request within the documentation page, it will return the Request URL. Copy the Request URL from the GET /about response.
Otherwise, manually create a request URL using the standard endpoint format: https://<FME Flow URL>/api/EnvironData/about
NOTE: When you open the Swagger docs in FME Flow, you're already logged in. So any requests you send there use your credentials automatically. To see how an external or unauthenticated user would access the API, you need to test from a session without your login.
In that window, paste the full URL for the GET /about endpoint. But don’t use the plain URL, since that would just ask you to log in. Instead, append the API token as a query string. It should look like this:
http://<FME Flow URL>/api/EnvironData/about?fmetoken=<API-token>
Replace <API-token> with the actual token value generated earlier. You can copy this value from the text file you downloaded during token creation.
After entering the modified URL, press enter key to send the request. If the token is valid, the API will return the expected response, confirming that authentication using a query string parameter works as intended.
API tokens can also be passed using HTTP headers. If you’d like to try that approach, continue to the next steps.
Authenticate a Request From a Client Using an API Token in a Header
Unlike query parameters, API request headers can't be easily added through a browser. To demonstrate how to make authenticated requests using headers, we’ll use a third-party API client, Postman. Postman is free and can be accessed via a web browser or downloaded as a desktop application. If Postman isn’t available on your machine, the same request can be replicated using the HTTPCaller or OpenAPICaller transformer in FME Workbench.
In Postman, start by creating a new HTTP GET request. To do this go to File > New > HTTP.
In the new GET request, paste the same /about endpoint Request URL from earlier, but remove any query string parameters (i.e., do not include ?fmetoken=...).
http://<FME Flow URL>/api/EnvironData/about
NOTE: If you send the request without authentication, the EnvironData API will return a “401 Unauthorized” status code.
To submit an authenticated request using an API token in the headers, click the Headers tab in Postman. Configure a new header in the table.
| Key | Value |
| Authorization | fmetoken token=<API-token> |
Replace the <API-token> placeholder with the value from your EnvironToken text file.
Click Send. If the token was correct, a 200 OK status code and response body will be returned.
Authenticate a Request From a Client Using Basic Authentication in a Header
Finally, API requests can also be authenticated using Basic Authentication.
To test this method, create a new HTTP request in Postman and enter the same GET /about request URL used in previous steps. Open the Headers tab to configure a new header. Unlike the previous example, this method does not use an API token. Instead, you'll generate a Base64-encoded string from your FME Flow username and password.
You can use an online Base64 encoder (such as base64encode.org) or the TextEncoder transformer in FME to perform the encoding. Enter your credentials in the format username:password, then encode the full string.
Once you have the encoded result, return to Postman and add a new header. Set the Key to “Authorization” and the Value to “Basic <base64-encoded "username:password">”, replacing the placeholder with your actual encoded string.
| Key | Value |
| Authorization | Basic <base64-encoded "username:password"> |
Send the request. If the credentials are valid, the EnvironData API will respond with a “200 OK” status and response body.
Disabling Authentication for an Endpoint
When the EnvironData API was set up, it was secured by default. That means the GET /about endpoint also required authentication. But sometimes, you may want different security settings for a specific endpoint.
In this case, the EnvironData Coordination Office wants GET /about to be public so users can access general info without logging in.
To do this, navigate back to the API in FME Flow. From the Endpoints tab, select the GET /about endpoint. In the Details tab, find Endpoint Security and turn off Inherit API Setting. This will load more security options.
Change the Access Level to Unauthenticated.
Click Save to apply the changes.
The GET /about endpoint can now be accessed without authentication.
Next: Creating a Workspace Response for a Data Virtualization GET Endpoint
Comments
0 comments
Please sign in to leave a comment.