Authentication
Three auth modes, one for each direction traffic flows.
1 · Outbound calls — bearer token
Every request to the OpenSOP API except /sop/triggers/* and /sop/webhooks/* requires an X-SOP-Token header. Tokens are workspace-scoped.
curl https://api.opensop.dev/sop/ \ -H "X-SOP-Token: sk_workspace_acme_4f9c..."
2 · Inbound triggers — HMAC
Endpoints under /sop/triggers/:process_name have no bearer token. Instead, the third party signs the raw request body with a shared secret. The engine looks up the secret declared at process.trigger.auth.secret_env, recomputes the signature, and compares constant-time.
IMPORTANT
—
Provider signature schemes vary — different headers, encodings (hex / base64), and prefixes. See the provider matrix on the trigger endpoint page.
3 · Webhook callbacks — single-use ID
When a webhook step starts, the engine generates a callback URL containing a one-shot ULID. The third party POSTs back to that URL. The ID itself is the credential — once consumed, it is invalidated.
Callback URLs expire after the step's timeout, default 7 days.
Token rotation
| Action | Endpoint |
|---|---|
| Create token | POST /workspace/tokens |
| List active tokens | GET /workspace/tokens |
| Revoke token | DELETE /workspace/tokens/:id |