Credential Management

We integrate with hundreds of different apps and every authentication is unique. Some apps use the OAuth standard which involves redirecting a user to a single sign-on page and then back to your application while others use API keys. Luckily, Alloy Embedded takes the headache out of authentication via our easy-to-use modal. As you'll see in this section, using the Embedded Modal for authentication is simple and efficient. In addition, we also provide a set of credential management APIs, allowing you to create and delete credentials with ease.

This guide covers:

  • Credential handling via Embedded Modal
  • Manually adding API Key and OAuth credentials
  • Credential management via API
  • Handling credential expiration

Adding Credentials via Modal

When a user first instantiates the modal, the first thing they'll see is an authentication step prompting them to connect their app to Alloy Embedded.

Once a merchant adds their credential(s) via API Key or OAuth, Embedded encrypts the credential using AES-256 encryption and then links this credential to the specified user. If they were ever to install a subsequent integration or workflow that uses the same app, they would not have to authenticate that app again.

Manually Adding Credentials

In almost all use cases, adding a credential via the Embedded Modal is the best route. However, there are edge cases where you already have a user's authentication key. Perhaps you already have the user's API key on hand and don't want to prompt them to enter it again. We provide the POST /credentials endpoint to allow you to create a credential programmatically.


Note that you can only use the create credential endpoint for non-OAuth apps.

Credential Management via API

Once a credential is added to a user, you can use the Credentials API to list, add, and delete credentials for a user.

Expiration Handling

The vast majority of credentials that your merchants will integrate are evergreen – meaning unless intentionally removed by the user (i.e. the user intentionally revokes access to the credential), they'll stay active in Embedded.

However, unforeseen issues may arise. To solve this, Embedded allows you to register a webhook where you can receive merchant expiration notifications. The webhook will return the userId, userEmail, credentialId, and credentialName associated with the expired credential.