Skip to main content

Authentication and access

To use the GraphQL endpoint, you need an access token for all API requests: 

The GraphQL API takes into account the permissions of the user. If you need to restrict access to the client data via GraphQL API, see Apply limited visibility in GraphQL.


If you get a CORS (Cross-Origin Resource Sharing) error when using FA APIs, contact FA and tell us the domain from which you are making the request. FA will then add your domain to the valid web origins list of your FA environment.

Authenticate in GraphQL to get an access token

Before sending requests, you need to authenticate in FA via OpenID protocol with your username and password to receive an access token. Then, use the access token in all GraphQL API requests. Once the token expires, request a new one.

Use the following command to verify your GraphQL authentication:

curl -d "client_id=external-api" -d "username=<username>" -d "password=<password>" -d "grant_type=password" "https://<instance>"


For system-to-system integration, you should use your technical user to authenticate.

Use the following values in the request parameters:






'external-api' is the default public client ID from FA.



Your username.



Your password.



FA platform environment used by your organization.

You will get a JSON response that contains an access token if the authentication is successful. By default, the token is configured to be valid for 1 minute.

	"scope":"email profile"

Make a GraphQL request using the access token

You can use your access token, for example, with a GraphQL API call to fetch a portfolio name:

  1. Choose a portfolio in FA Back that you want to fetch through GraphQL API and note down its ID. You can find the ID in the last part of the portfolio URL, for example:

  2. Query the portfolio using cURL. Apply the previously fetched parameters to the following query:

    curl -X POST -i -H "Content-Type: application/json" --header "Authorization: bearer <access_token>" -d "{\"query\": \"{ portfolio(id:<portfolio_ID>) { name } }\"}" "https://<instance>"
  3. You will get the portfolio name in the response, for example:

    			"name": "Investment portfolio"    

Apply limited visibility in GraphQL

If you need to limit access to the client and portfolio data, follow the steps:

  1. Set up the limited visibility feature for the user in FA Back. For instructions, see Set up limited visibility for one user and Set up limited visibility for many users in FA Admin Guide.

  2. Authenticate the user's GraphQL requests with user credentials.

  3. Verify the user's access restriction by requesting all active contacts. The response should contain only the contacts the user has access to:

    curl -X POST -i -H "Content-Type: application/json" --header "Authorization: bearer <access_token>" -d "{\"query\": \"{ contacts(status:\\\"A\\\") { name } }\"}" "https://<instance>"