Basic Authentication

Requests made to the API are usually authenticated with HTTP Basic authentication.

In order to properly authenticate with the API, you must use your API key as the username while leaving the password blank. Requests not properly authenticated will return a 401 error code. You can generate API keys for your account in your Profile Settings. All API requests must be made over HTTPS.

In curl, you can specify the username with the -u flag - make sure to include a : afterwards, which indicates an empty password.

Note: If you're an Enterprise customer, you'll need to use your company's URL to authenticate (e.g. instead of

curl -u sk_YOUR_SECRET_KEY:

OpenID Connect (OIDC) Authentication

Benchling for Enterprise supports authenticating with OpenID Connect (OIDC) id tokens. In this configuration, you'll need a trusted identity provider (such as Okta or AD FS) that supports OpenID Connect.

From your application, you can authenticate to the identity provider, which provides an id token in response. Your identity provider should be configured to include "email" as a claim in the token. You can then use the token in the Authorization header:

curl -H "Authorization: Bearer YOUR_ID_TOKEN_HERE"

The Benchling API accepts this token by verifying the signature against keys presented at your OpenID configuration endpoint (e.g. at Once the token signature is verified, the API request is authenticated as the user associated with the email claim on the token.

Note that the user must already exist - in most cases this means the user should sign into the web application before making API requests.

While OpenID Authentication is an open standard, it relies on the identity provider complying with the standard to work. To date, we've had clients successfully configure this with the following IdPs:

  • Okta
  • Azure Active Directory

Contact [email protected] to configure OpenID Authentication.

Updated 28 days ago


Suggested Edits are limited on API Reference Pages

You can only suggest edits to Markdown body content, but not to the API spec.