Authentication

Authentication

For the initial launch of our API, we are relying on JWT Authentication to provide security for your requests. This method is what we use today to power our web application log in.

Basic path for authentication will require an existing admin to create a new user for the api.

How to Create an Admin Service Account for Public API Access

This guide explains how to create a new Admin account in Flo Recruit specifically for programmatic API access (a "service account"). This account is used by software systems or scripts to authenticate with the Flo Recruit API.

You must be a current Flo Recruit Admin to perform these steps.

Part 1: Prerequisites

Before you begin, you must have a dedicated email address ready for this new service account (e.g., [email protected]). You will need access to this email account's inbox to complete the setup.

Part 2: Create New Admin Member & Determine Auth Path

  1. From your Admin account, click Members in the main navigation bar on the left side of the screen.

  1. On the Members list page, click the "Create New Member" button (this is typically in the top right corner).

  2. A new window/modal will appear. Fill in the information for the new service account member:

    1. Admin Status: Select “Admin” for Admin Status

    2. Login type: If your organization has MFA enabled, select MFA

      1. Note: If your organization does not have MFA or SSO enabled you will not see these options and will log in using email and password.

    3. First Name: Recommend using “API”

    4. Last Name: Recommend using “User”

    5. Email: The dedicated email address you prepared.

  3. Determine Your Authentication Path:

    1. When you check "Admin," a new radio group called “Login type” may appear asking if this user requires extra security (SSO or MFA) to log in.

    2. If you see this option OR you know your org requires MFA for admins: You are an MFA-Enabled Org. You must select the MFA option (if presented). After clicking "Send Invite," you will follow Part 3, Path B.

    3. If you do NOT see this option AND you know your org does not use MFA: You are a Non-MFA Org. After clicking "Create Member," you will follow Part 3, Path A.

    4. If you are unsure: Please contact your Customer Success representative to confirm your org's admin authentication settings before proceeding.

  4. Click “Create Member” and an email will be sent to finish the new account creation (setup from email still needed in following steps).

Part 3: Finalize Account Setup

Follow the instructions that match the path you determined in Part 2.

Path A: For non-MFA Orgs

  1. Go to the inbox for the new service account's email address.

  2. Open the invitation email, subject: “New Flo Account for You” from Flo Recruit and click the activation link, “Click here to create your account”.

  3. A web page will open in your default browser, prompting you to create a password.

  4. Create a strong, unique password for this account.

    1. Flo recommends using a password manager (like 1Password or LastPass) to generate and store a password.

    2. If creating one manually, ensure it is long (16+ characters) and complex (using uppercase, lowercase, numbers, and symbols).

    3. Store this password securely. You will need it for your API configuration.

  5. Your setup is complete. This account is now active. Proceed to Part 4: Securely Store Credentials.

Path B: For MFA-Enabled Orgs

This path requires extra steps to retrieve the MFA secret key for programmatic use.

  1. Follow Path A steps 1-4 to set up a new password for this account.

  2. After setting the password, you will be logged in. Log out and navigate to your organization’s login page. If your organization has SSO enabled, you will need to enter this URL in the browser to access the normal login form:

    1. https://florecruit.com/app/your_organization_name/adminLoginMfaForSsoOrg/

  3. Click the "Forgot password?" link.

  4. Enter the service account's email address and submit the form.

  5. Go back to the service account's email inbox. Open the new "Forgot Password Account Recovery" email and click the link.

  6. You will be prompted to create a new password again. Enter a new, secure password.

  7. Once you submit this new password, the page will load the MFA Setup screen showing a QR code.

  8. Below the QR code, click the link "show secret key for manual configuration".

  9. A text string will appear. Click the copy button to copy this MFA Secret Key to your clipboard. Store this secret key somewhere safe, Part 4 will go over how to use this secret key.

  10. Finish the MFA setup by scanning the QR code with an MFA application. Enter the 6 digit code in the form field “MFA Code”.

  11. You should now be logged in to the system. Log out.

  12. Your setup is complete. Proceed to Part 4: Securely Store Credentials.

Part 4: Securely Store Credentials

You must securely store these credentials for your application to use.

  • Credentials from Part 3 should never be stored in an unsecure location. Do not email or share your credentials with anyone.

  • Programmatic access will require storing credentials in the environment where your code will be running to access the API. It is recommended that you use a .env file or store these credentials as environment variables and load them when running your application. If going .env route we recommend it to your gitignore file and not checking it into git.

  • For Non-MFA Orgs: You need the Email and Password.

  • For MFA-Enabled Orgs: You need the Email, Password, and the MFA Secret Key you just copied.

Part 5: Next Steps

Your admin service account is now fully configured.

We suggest that you authenticate prior to each API request. That will involve you making a POST request with your credentials to our Login Endpoint. The Login Endpoint is

https://florecruit.com/app/{org_name}/admin/auth/

The endpoint always returns a 200 OK status response. If the Authentication was successful, it will also contain a cookie containing an authorization token.

To verify authentication succeeded, make a test API call after authenticating. If the test call returns 401 Unauthorized, authentication failed—check your credentials and ensure you've included mfaCode if your account requires MFA.

Refer to the “Python Code Example” and “Node.js Code Example” sections at the end of this document for more specifics about usage.

PreviousOverviewNextUsing the API

Last updated