You are here

Introduction to authentication

This section of the documentation looks at how your application can be authenticated to access Alfresco repositories.


The Client API supports two types of authentication, HTTP Basic Authentication and OAuth. HTTP Basic Authentication is used for accessing on-premise repositories. OAuth is used for accessing Alfresco in the Cloud.

Internally, the Client API uses an AuthenticationProvider interface. There are two implementations of this interface, BasicAuthenticationProvider and OAuthAuthenticationProvider. An AuthenticationProvider is responsible for providing an HTTP request with the headers that need to be added to a request in order to identify and authorize the user.


The BasicAuthenticationProvider is constructed with a username and password and when requested provides the standard "Authorization" header.

This authentication provider is used for accessing on-premise servers.


The OAuthAuthenticationProvider is constructed with an API key, API secret, access token and refresh token. When requested, it provides the OAuth token using the following header:

         Authorization: Bearer [your access code]

This authentication provider is used for accessing Alfresco in the Cloud. By default CloudSession uses OAuth.

OAuth Overview

An Alfresco application can use the OAuth 2.0 authorization code flow to authenticate itself with Alfresco Cloud and to allow users to authorize the application to access data on their behalf.

You first register your application on the Alfresco Developer site. You provide a callback URI (, and a scope ("public_api").

Registration will provide you with an API key and a Key Secret which are required by your application to authorize itself.

When a user runs your application, the application requests an authorization code from Alfresco using its API key, Key Secret, callback URI and scope. Alfresco will inform the user that your application wishes to access resources, and asks the user to grant or deny access.

If the user grants access, Alfresco returns an authorization code to the application. Your application then exchanges the authorization code for an access token. Your application can then call the Client API with the access token.

Example code

Example code demonstrating connection to on-premise repositories and Alfresco in the Cloud can be found in the SDK Samples application and HelloRepo application provided with the SDK.

Note: In iOS much of the work in OAuth authentication is done for you by the AlfrescoOAuthLoginViewController. Examples of usage can be found in the SDK Samples and HelloRepo applications.

OAuth Sample

A general OAuth sample can be found on Alfresco's Github site.

Sending feedback to the Alfresco documentation team

You don't appear to have JavaScript enabled in your browser. With JavaScript enabled, you can provide feedback to us using our simple form. Here are some instructions on how to enable JavaScript in your web browser.