Skip to main content
How you authenticate depends on which API you call. Both the REST management API (/api/v1/…) and the SCIM API (/api/scim/v2/…) take a token in the Authorization header with the Bearer prefix, and only HTTPS is accepted.

REST API (/api/v1)

Authenticate deployment, report, and workbook requests with a token sent using the Bearer prefix: 
Authorization: Bearer <YOUR_TOKEN>
The token can be an API key generated in your Cube Cloud account settings, or an OAuth access token from Cube Cloud’s OAuth flow — both are sent the same way. 
curl --request GET \
  --url 'https://<tenant>.cubecloud.dev/api/v1/deployments' \
  --header 'Authorization: Bearer <YOUR_TOKEN>'

SCIM API (/api/scim/v2)

Authenticate user and group provisioning requests with a SCIM bearer token, configured in your identity provider’s SCIM integration: 
Authorization: Bearer <YOUR_SCIM_TOKEN>
The SCIM API requires the Bearer prefix because identity providers (Microsoft Entra ID, Okta, and others) send credentials this way per RFC 7644. The SCIM token is a Cube Cloud API key, so Api-Key <YOUR_SCIM_TOKEN> is also accepted here. Generate a SCIM token in your Cube Cloud account settings, then configure it in your identity provider alongside the base URL. 
curl --request GET \
  --url 'https://<tenant>.cubecloud.dev/api/scim/v2/Users?count=100&startIndex=1' \
  --header 'Authorization: Bearer <YOUR_SCIM_TOKEN>'
Treat API keys and SCIM tokens like passwords — they grant full access to your account’s resources. Store them securely and rotate them if they are exposed.
A 401 Unauthorized response means the credential is missing, malformed, or expired.