To interact with Alloy’s API, you must include your personal API key in every request you send. Currently, there are three possible methods for doing this. However, two of these methods can potentially expose your API key to attackers.

Therefore, we’re announcing the deprecation of these insecure methods, which will be blocked entirely from January 2025.

Going forward, please use the bearer authentication scheme to communicate with Alloy.

Who will be affected?

All users and implementations that don’t use Bearer authentication to access the Alloy API.

Details

The following authentication methods are now deprecated. They continue to work for now, but will no longer be accepted in the near future:

• A token URL parameter:
  https://uk.alloyapp.io/api/session/me?token=<value>

• A token header:
  Token: <value>

From now on, the only supported method is to use the Authorization header with the bearer scheme (RFC 6750):
Authorization: Bearer <token>

Expected release

January 2025