Authentication for FileMaker Server

FileMaker Admin API uses an access token to define a connection to the host. The token is valid either until it is invalidated using the Invalidate Access Token call or for 15 minutes after the last call that specified the token. (While the token is valid, each call that specifies the token resets the session timeout counter to zero.)

Use the authentication call to request an access token from the host using the root administrator account name and password. Include an Authorization header with the value Basic base64-encoded string. The base64-encoded string should be generated based on username:password. You can also use the Basic Authentication scheme for other calls.

You can also use the PKI authentication call to request an access token from the host using the PKI token. Include an Authorization header with the value PKI PKI token. You can also use the PKI Authentication scheme for other calls.

If you use the Basic Authentication scheme for the authentication call, the request returns the access token in the response body. If you use the Basic Authentication scheme for other calls, the request returns the access token in the X-FM-Access-Token field in the response header.

For subsequent API calls, use the Bearer Authentication scheme and include an Authorization header with the value Bearer access token.

Notes 

  • Each time you use the Basic Authentication scheme or PKI Authentication scheme to get an access token, a new API session is created. To avoid having multiple API sessions, use the same access token with the Bearer Authentication scheme for all API calls.