API authentication

To make calls against your Replicon instance, you'll need to authenticate or authorize access to the instance.

Authenticating on reference pages

You can test calls using the reference pages, providing:

  • You are logged in to Replicon and have a reference page open in the same browser, and
  • Your instance's 'swimlane' (the three digits preceding .replicon.com in its URL, like sb1, na7, eu1, etc) matches the swimlane shown in the reference page's URL

If you access the reference pages using most links in this user guide, you'll automatically be prompted to log in to Replicon before being sent to the reference page, and the swimlane of the reference page should automatically update to match that of your instance. 

However, if, when testing, you want to:

  • Use the curl responses provided on the reference pages, or
  • Use another user's level of data access,

you should authorize access using token-based authentication.

Authorizing using token-based Bearer authentication

To use token-based authentication on a reference page:

  1. Open the Security API reference page.
  2. Expand the POST /AuthenticationService1.svc/CreateAccessToken2 operation.
  3. Click Try it out, and paste the following into the edit space:


  "identity": {

    "loginName": "admin"


  "description": "Token for testing export app",

  "unitOfWorkId": "001"


You can update the login name in the identity parameter; when you use the token, you'll have access to all data the user you submitted has access to.

We strongly recommend you use a unique string in the unitOfWorkId field each time you generate a new token, since this operation is idempotent – its state won’t change when you recall unless you change the unitOfWorkId value (i.e. you won’t be returned a new token).

  1. Click Execute.

A successful request will return a token.

  1. Copy this token, and open the reference page you want to test from.
  2. Click Authorize, and paste the token into the Value field.
  3. Click Authorize, then click Close.

Now when you carry out test operations, the curl data should be usable, and access should be limited by the user associated with the token.

The token shouldn’t expire, unless you included the Lifetime fields when generating it.

Be sure to keep your token secure, as it allows access to your Replicon data.

Authorizing programmatic calls

If you want to make calls programmatically, you’ll first need to authenticate using token-based Bearer authentication. Refer to the following for examples of how to format this type of authentication:

Swimlane in URL must be correct to authenticate

Each Replicon instance is hosted on a particular swimlane (sometimes called an endpoint). In the URL https://X.replicon.com/services/, X represents the swimlane, which could be NA2NA4EU1, etc, making the URL read https://na3.replicon.com/services/ or similar.

The swimlane assigned to an instance may change from time to time, and the API can only be accessed from your instance’s swimlane. 


So, it’s a good idea to include a check in your code, and generate the web service URL dynamically each time you perform a call. And, if you’re having authentication errors, check that you’re accessing the services from the correct swimlane.


I received an All access checks failed to authorize operation error

If you see an error like this: All access checks failed to authorize operation '<name of operation>' : At least one of the following permissions are required: ‘<name of permission>’, you’re missing permissions required to perform the operation in question.

For any operation carried out using services, you’ll need the same permissions and products you need to carry out that operation manually within the app. For information on signing products and permissions, select the links.

Why can’t we use basic authentication?

We don’t support basic authentication since it doesn’t work with certain features, such as multifactor authentication.