Basic Authentication

Requests made to the API are usually authenticated with HTTP Basic authentication.

In order to properly authenticate with the API, you must use your API key as the username while leaving the password blank. Requests not properly authenticated will return a 401 error code. You can generate API keys for your account in your Profile Settings. All API requests must be made over HTTPS.

In curl, you can specify the username with the -u flag - make sure to include a : afterwards, which indicates an empty password.

Note: If you're an Enterprise customer, you'll need to use your company's URL to authenticate (e.g. instead of

curl -u sk_YOUR_SECRET_KEY:

OpenID Connect (OIDC) Authentication

Experimental Feature

OIDC authentication in the Benchling API is currently in an experimental stage. It is fully functional but only supported with Azure AD and Okta. Expect some rough edges in configuration when setting this up.

Benchling for Enterprise supports authenticating with OpenID Connect (OIDC) id tokens. In this configuration, you'll need a trusted identity provider (such as Okta or AD FS) that supports OpenID Connect.

From your application, you can authenticate to the identity provider, which provides an id token in response. Your identity provider should be configured to include "email" as a claim in the token. You can then use the token in the Authorization header:

curl -H "Authorization: Bearer YOUR_ID_TOKEN_HERE"

The Benchling API accepts this token by verifying the signature against keys presented at your OpenID configuration endpoint (e.g. at Once the token signature is verified, the API request is authenticated as the user associated with the email claim on the token.

Note that the user must already exist - in most cases this means the user should sign into the web application before making API requests.

Contact to configure OpenID Authentication.


Suggested Edits are limited on API Reference Pages

You can only suggest edits to Markdown body content, but not to the API spec.