Auth Profiles let you define authentication credentials once and reuse them across Pre-Call, During-Call, and Post-Call API requests. Instead of hardcoding tokens or passwords into every action, create a profile in one place and select it wherever you need it.
Overview
- Centrally managed — update a credential in one profile and every action that references it picks up the change automatically.
- Secure storage — sensitive fields (tokens, passwords, client secrets, API key values) are encrypted at rest.
- Four auth types — Bearer Token, API Key, Basic Auth, and OAuth 2.0 (Client Credentials).
Authentication Types
Bearer Token
Send a static token in the Authorization header of every request.
| Field | Description |
|---|
| Bearer Token | The token value. Sent as Authorization: Bearer <token>. |
API Key
Attach one or more key-value pairs to the request via header, query string, or request body.
| Field | Description |
|---|
| API Key Method | Where to send the keys — Header, Query, or Body. |
| Key-Value Pairs | One or more key/value entries. Click + Add another to add additional pairs. |
x-api-key, api_key, or similar.
You can add multiple key-value pairs in a single profile — useful when an API requires more than one credential header.
Basic Auth
Authenticate with a username and password, encoded as a standard HTTP Basic credential.
| Field | Description |
|---|
| Username | The username or account identifier. |
| Password | The password or secret. Stored encrypted. |
Authorization: Basic base64(username:password) with each request.
OAuth 2.0 — Client Credentials
For machine-to-machine integrations that use the OAuth 2.0 Client Credentials grant. The platform automatically fetches (and refreshes) an access token before each request.
| Field | Required | Description |
|---|
| Client ID | ✅ | The OAuth client identifier. |
| Client Secret | ✅ | The OAuth client secret. Stored encrypted. |
| Token Endpoint | ✅ | The URL the platform calls to obtain an access token (e.g. https://auth.example.com/oauth/token). |
| Scope | Optional | Space-separated scopes to request (e.g. read write). |
You do not need to manage token refresh yourself. The platform handles the full token lifecycle — request, cache, and refresh — transparently before your API call executes.
Managing Profiles
Open Studio → Manage → Auth Profiles to view, create, edit, search, and delete profiles.
Create a Profile
- Click New Profile.
- Enter a Profile Name (e.g. “Salesforce Production”).
- Choose an Authentication Type.
- Fill in the required fields for the selected type.
- Click Save.
Edit a Profile
Click the Edit icon next to any profile to update its name, type, or credentials.
Delete a Profile
Click the Delete icon next to any profile. The platform will check whether the profile is currently in use:
- Not in use — a confirmation dialog appears and you can proceed.
- In use — a usage summary shows which Pre-Call actions, Post-Call actions, and flow nodes reference the profile. Remove the profile from those locations first, then retry deletion.
Deleting a profile that is in use by active actions will cause those API requests to fail. Always review the usage summary before removing a profile.
Using a Profile in Actions
Any API Request configuration — in Pre-Call, During-Call, or Post-Call actions — includes an Auth Profile option:
- Toggle Use Auth Profile on.
- Select a profile from the dropdown.
- The platform injects the appropriate credentials at request time.
When a profile is selected, inline auth fields (token, username/password, etc.) are overridden by the profile’s stored values.
Best Practices
- One profile per external service — name profiles after the service they authenticate against (e.g. “Zendesk API”, “Twilio Prod”).
- Rotate credentials in one place — when a token or secret expires, update the profile and all referencing actions inherit the new value.
- Use OAuth 2.0 when available — the automatic token refresh reduces manual maintenance compared to static bearer tokens.
- Audit usage before deletion — always check the usage summary to avoid breaking live agents.
