Docs
Powered by

# Authentication Methods

Weavestream supports a wide range of authentication methods to connect to virtually any REST API. All credentials are stored securely in your Mac's Keychain — they never leave your device unencrypted.

Choose the method that matches your API's requirements when adding or editing a source.

# None

No authentication is needed. Use this for public APIs that don't require credentials.

# Bearer Token

The most common method for modern APIs. You provide an access token, and Weavestream sends it in the Authorization: Bearer <token> header with every request.

You'll need:

  • Access Token — The token provided by your API service

Works well with: GitHub, NinjaOne, most SaaS APIs that provide personal access tokens or API tokens.

# API Key

Similar to Bearer, but sends the key directly in the Authorization header without the "Bearer" prefix. Some APIs expect credentials in this format.

You'll need:

  • API Key — Your API key

Works well with: APIs that use a raw key in the Authorization header.

# Basic Auth

HTTP Basic authentication sends a base64-encoded username and password with every request.

You'll need:

  • Credentials — Enter in username:password format

Works well with: Legacy APIs, self-hosted services, and APIs that use Basic auth.

# Query Parameter

Some APIs expect authentication as a URL parameter rather than a header. Weavestream will append the parameter to every request URL automatically.

You'll need:

  • Parameter Name — The name of the URL parameter (e.g., X-Plex-Token, api_key)
  • Token Value — Your token or key

Works well with: Plex, and other APIs that use token-based URL parameters.

# Credential Parameters

For APIs that accept username and password as separate request parameters (in the query string or body), rather than using standard HTTP authentication.

You'll need:

  • Username Parameter — The parameter name for the username (e.g., account)
  • Password Parameter — The parameter name for the password (e.g., passwd)
  • Credentials — Enter in username:password format

Works well with: Synology and similar APIs that use custom credential parameters.

# Session-Based Auth

Some APIs require a two-step process: first you log in to get a session token, then you include that token in subsequent requests. Weavestream automates this entire flow.

You'll need to configure:

# Login Endpoint

  • Login Path — The path for the login endpoint (e.g., /webapi/entry.cgi)
  • Login Method — GET or POST
  • Use Form-URLEncoded — Toggle this on if the API expects form-encoded POST data
  • Parameters — Key-value pairs to send with the login request (e.g., api=SYNO.API.Auth, version=6)

# Credentials

  • Username Parameter — The parameter name for the username
  • Password Parameter — The parameter name for the password
  • Credentials — Enter in username:password format

# Token Extraction

  • JSON Path — Where to find the session token in the login response (e.g., data.sid)

# Token Injection

  • Location — Whether to inject the token as a Query Parameter or a Header
  • Parameter/Header Name — The name to use (e.g., _sid)
  • Prefix (optional) — Text to prepend to the token (e.g., Bearer )

You can click Test Login to verify your session configuration works before saving.

Works well with: Synology DSM, and other APIs with session-based authentication.

# OAuth 2.0

OAuth is an industry-standard protocol that lets you authorize Weavestream to access an API on your behalf. Weavestream supports two OAuth flows:

# Authorization Code Flow

This is the standard OAuth flow where you log in through the service's website. A browser window opens, you sign in, and the service redirects back to Weavestream with an authorization code.

You'll need:

  • Authorization URL — The service's authorization page URL
  • Token URL — The endpoint where Weavestream exchanges the code for a token
  • Client ID — Your OAuth app's client ID
  • Client Secret — Your OAuth app's client secret (optional if using PKCE)
  • Scopes (optional) — Space-separated list of permission scopes

After filling in the details, click Authenticate with Provider. A browser window opens for you to sign in. Once complete, you'll see a green "Authenticated" checkmark.

Note: You'll need to register http://localhost:8080/callback as a redirect URI in your OAuth provider's developer console.

Works well with: Zoho, NinjaOne (with PKCE), and other services with user-facing OAuth.

# Client Credentials Flow

This flow is for machine-to-machine authentication where no user login is needed. Weavestream exchanges your client ID and secret directly for an access token.

You'll need:

  • Token URL — The endpoint for obtaining tokens
  • Client ID — Your application's client ID
  • Client Secret — Your application's client secret
  • Scopes (optional) — Space-separated list of permission scopes
  • Use Basic Auth header — Toggle this on if the service expects credentials in the Authorization header rather than the request body

Click Test Connection to verify your credentials. A green "Connected" checkmark confirms everything is working.

Works well with: PayPal, AWS, and other machine-to-machine APIs.

# Custom Headers

Regardless of which authentication method you choose, you can also add custom HTTP headers that are sent with every request. This is useful for APIs that require additional headers like Accept: application/json or custom API versioning headers.

Add headers in the Authentication step of the source wizard by clicking Add Header and entering the key-value pairs.

# Next Steps

© Copyright Spiffy Solutions Inc 2026. All rights reserved.