Authentication

Learn how to authenticate your requests to the Merge API.
Overview

When making requests to the Merge API, you will need to pass proper authentication parameters so that you can identify yourself as an authorized user.

There are two primary authentication protocols we will explore below:

The credentials you retrieve from these protocols need to be included in the headers for every request you send to the Merge API.

Merge API Key

For any request you make when communicating with the Merge API, you will need an API key to authenticate yourself as an authorized user. You should have saved your access key after creating it in Merge, but if you no longer have it, you can regenerate your Production Access Key or create a new Remote Production or Test Access Key in API Keys under Configuration.

If you’re writing your own requests, add your API key with a "Bearer " prefix as a header called Authorization to authorize your Merge API requests. This header must be included in every request in this format:

Authorization: Bearer YOUR_API_KEY

If you’re using the Merge SDK in your backend to communicate with Merge, you will add your API key as a parameter during your Merge client initialization.

Merge SDK - Client Initialization
1from __future__ import print_function
2

3import time
4import MergeHRISClient
5

6configuration = MergeHRISClient.Configuration()
7

8# Swap YOUR_API_KEY below with your production key from:
9# https://app.merge.dev/keys
10configuration.api_key['tokenAuth'] = 'YOUR_API_KEY'
11configuration.api_key_prefix['tokenAuth'] = 'Bearer'
Linked Account Tokens

When sending requests to the Merge API regarding your end users’ data, you’ll only be authorized to access or manipulate that users’ data if they’ve gone through Merge Link and you’ve successfully stored their account_token for use with these requests.

The account_token also serves to signify the particular integration you wish to interact with. You can find your account_token at the bottom right of each Linked Account's page under the end user organization information.

End user organization information with account_token

Learn how to add Merge Link to your product and store your users’ account_tokens here and see how to use these account_tokens to authenticate your API requests below.

Preview of Merge Link component

If you’re writing your own requests, add your user’s account_token as a header called X-Account-Token to authorize your Merge API requests. The account_token must be included in the headers for every request in this format:

X-Account-Token: END_USER_ACCOUNT_TOKEN

If you’re using the Merge SDK in your backend to process requests related to your end users’ data, you will add your user’s account_token as a parameter called x_account_token to your request.

Merge SDK - Use Account Token
1with MergeHRISClient.ApiClient(configuration) as api_client:
2    api_instance = MergeHRISClient.EmployeesApi(api_client)
3    x_account_token = 'END_USER_ACCOUNT_TOKEN'
4

5    try:
6        api_response = api_instance.employees_list(x_account_token)
7        pprint(api_response)
8    except MergeHRISClient.ApiException as e:
9        print('Exception when calling EmployeesApi->employees_list: %s' % e)
Next Up
Pagination