Authentication
How to authenticate with the Jobiflow Public API using API keys and OAuth2
Authentication
The Jobiflow Public API supports two authentication methods:
| Method | Use case |
|---|---|
API Key (X-API-Key header) | Server-to-server integrations, ATS plugins, automation scripts |
| OAuth2 Bearer Token | Acting on behalf of a logged-in company user (dashboard integrations) |
For most third-party integrations, API keys are the recommended method.
API Keys
Creating an API Key
API keys are created from the Jobiflow company dashboard under Settings → API Keys, or via the API itself:
POST /settings/api-keys
Authorization: Bearer <oauth2_token>
Content-Type: application/json
{
"label": "My Integration",
"scopes": ["jobs:read", "jobs:write", "applications:read"],
"expiresAt": "2027-01-01T00:00:00Z"
}The response contains a rawKey field — this is the only time the full key is returned. Store it securely in your secrets manager.
{
"id": "3fa85f64-5717-4562-b3fc-2c963f66afa6",
"keyPrefix": "jbf_live_abc12",
"label": "My Integration",
"scopes": ["jobs:read", "jobs:write", "applications:read"],
"createdAt": "2026-05-17T10:00:00Z",
"expiresAt": "2027-01-01T00:00:00Z",
"active": true,
"rawKey": "jbf_live_abc12...FULL_KEY"
}Using an API Key
Pass your API key in the X-API-Key request header on every call:
GET /public/v1/job-listings
X-API-Key: jbf_live_abc12...FULL_KEYScopes
Every API key must declare one or more scopes at creation time. Requests that require a scope not granted to the key will receive 403 Forbidden.
| Scope | Description |
|---|---|
jobs:read | List and retrieve job listings |
jobs:write | Create, update, publish, archive, and delete job listings |
applications:read | List and retrieve applications |
applications:write | Submit external applications, update application status |
candidates:read | Search and view candidate profiles |
candidates:write | Import external candidates into the pipeline |
webhooks:manage | Create, update, and delete webhook subscriptions |
analytics:read | Read analytics and overview metrics |
You can update a key's label after creation, but scopes are immutable — revoke and issue a new key to change scopes.
Revoking a Key
DELETE /settings/api-keys/{id}
Authorization: Bearer <oauth2_token>Revoked keys receive a 401 Unauthorized immediately.
OAuth2
The Jobiflow Authorization Server (https://api.jobiflow.com) acts as both the Authorization Server and a Resource Server.
Authorization Code Flow
Authorization URL: https://api.jobiflow.com/oauth2/authorize
Token URL: https://api.jobiflow.com/oauth2/tokenSupported scopes: openid, profile, email
Once you have an access token, pass it as a Bearer token:
GET /settings/api-keys
Authorization: Bearer eyJhbGciOiJSUzI1NiJ9...Social Login Providers
Jobiflow supports the following OAuth2 providers for user authentication:
Security Best Practices
- Never commit API keys to version control. Use environment variables or a secrets manager.
- Set an expiry date on every key. Rotate keys periodically.
- Grant the minimum set of scopes required for each integration.
- Use HTTPS for all API calls. Never make authenticated requests over plain HTTP.
- Monitor
lastUsedAton keys in the dashboard; investigate any unexpected activity.