Authentication

Authentication requirements are integration-specific and may vary by environment or API group.

What To Confirm

Before you start, confirm with your Looms or AND Global technical contact:

• how credentials are issued
• which authentication flow applies to your integration
• whether access tokens, refresh tokens, API keys, or other credentials are required
• whether separate credentials are used per environment

Using Authenticated Endpoints

For endpoints that require authorization:

• obtain credentials through the agreed onboarding process
• request or generate the required token using the documented auth flow
• send the token or credential in the required header format
• refresh or rotate credentials as required by your environment

If an endpoint is public, the endpoint reference will typically not require an authorization header.

Token-Based Access

Some Looms flows return access tokens and refresh tokens. Where token-based access is used:

• treat tokens as secrets
• do not expose tokens in client-side logs or analytics tools
• store tokens securely
• implement refresh handling if your integration depends on long-lived sessions

Verify Per Endpoint

Always check the API Catalog for the endpoint you are integrating with and confirm:

• whether authentication is required
• required headers
• request payload format for login or token exchange flows
• any environment-specific behavior

Security Recommendations

• never hardcode production credentials in source code
• rotate secrets using your internal secret-management process
• use separate credentials for non-production and production environments
• restrict access to only the endpoints required for your integration