Bearer token on every GraphQL call.
All requests go to a single endpoint:
1. Create an API key
API keys are created from the Filed web app, per workspace:- Open the workspace you want to grant access to.
- Go to Plugins → Filed API.
- Click Create an API Key.
- Choose an Expiry and an Access level (see below).
- Copy the key. It is shown only once, so store it in a secret manager. If you lose it, revoke it and create a new one.
An API key is personal: it authenticates as you, the user who created
it. Every call made with a token minted from the key acts on your behalf and is
limited to what your account is allowed to do in that workspace (the
userToken
from the exchange identifies you). If you leave the workspace or your access
changes, the key’s access changes with you. For a shared or service integration,
create the key from an account you intend to own that integration.Expiry
The key is valid for the window you pick at creation time. After it expires, the exchange step (below) stops working and you must create a new key.| Option | Key lifetime |
|---|---|
30 | 30 days |
60 | 60 days |
90 | 90 days (default) |
365 | 1 year |
2. Scope: one key, one workspace
An API key is scoped to the single workspace it was created in. The access token you get from it can only read and write data in that workspace. To integrate with several workspaces, create one key per workspace.This is different from legacy partner API keys, whose token could reach every
workspace the partner created. New Filed API keys are deliberately
workspace-scoped for tighter, per-workspace access control.
Access levels: read vs read-write
The Access level you pick at creation time is baked into every access token minted from that key:| Access | Value | What the token can do |
|---|---|---|
| Read only | read_only | Run queries to look up clients, tasks, documents, and other workspace data. All mutations are rejected. |
| Read and write | read_write | Everything read-only can do, plus mutations: upload documents, trigger runs, and modify workspace data. |
3. Exchange the API key for an access token
Send your API key as therefreshToken argument to
exchangeSurfaceRefreshTokenForAccessTokens. This is a public mutation: it
is the only call you make without a Bearer token.
Arguments
Your API key, exactly as copied from the Filed web app.
Returns: AccessTokens
A short-lived token identifying you (the user the key belongs to) across
your account, not tied to any one workspace.
A short-lived token that is also you, scoped to the key’s workspace. This
is the token you use for API calls. It carries the key’s access level: a
read_only key mints a read-only workspaceToken.userToken is you account-wide, the workspaceToken is you
within the key’s workspace at the key’s access level.
Both tokens are short-lived (about 30 minutes). When they expire, call the
exchange again with the same API key to mint fresh ones. The API key itself
lasts until its expiry.
Example
4. Call the API with the access token
Send theworkspaceToken in the Authorization header on every subsequent
request:
me query. me returns the Me union, which resolves to
WorkspaceUser when you authenticate with a workspaceToken (and to User with
an account-wide userToken). Because it is a union, select fields with an inline
fragment on the type you expect:
cURL
Types
Union of
User (returned with an account-wide userToken) and WorkspaceUser
(returned with a workspace-scoped workspaceToken). Query it with
... on WorkspaceUser { ... } to read workspace fields.The membership id that links this user to the workspace.
The user’s role in the workspace, for example
admin or member.When the user was added to the workspace.
The underlying user account:
id, name, and email.The workspace this
workspaceToken is scoped to.Putting it together
A typical integration:- Once, in the web app: create a workspace-scoped API key with the access level you need, and store it as a secret.
- On startup / on 401: exchange the API key for a fresh
workspaceToken. - Per request: send
Authorization: Bearer <workspaceToken>. - When the token expires (~30 min): repeat step 2 with the same API key.
Troubleshooting
exchangeSurfaceRefreshTokenForAccessTokens returns an error
- The API key is wrong, revoked, or past its expiry. Create a new one.
- Confirm you are posting to
https://router.apps.filed.com/graphql.
- The key was created as Read only (
read_only). Create a Read and write key to allow mutations.
- The
workspaceTokenexpired. Re-exchange the API key for a new one.