Rocket.Chat supports multiple authentication methods to secure API communication, including standard username-and-password login and OAuth integrations with providers such as Google, Facebook, and Twitter.
To access protected Rocket.Chat API endpoints, you must include both a valid authentication token and your user ID in the request headers:
x-Auth-Token: The authentication token that verifies your session.x-User-Id: The unique identifier of the authenticated user.
Authentication tokens
Authentication tokens uniquely identify an active user session within a Rocket.Chat workspace. They confirm the user’s identity and permissions, enabling secure access to API features and resources.
For any endpoint that requires authentication, include your token in the X-Auth-Token header.
Rocket.Chat supports two primary types of authentication tokens:
authToken: It is a temporary token issued after a successful login through any login endpoint. Workspace administrators can also generate an authToken on behalf of a user using the Create User Token endpoint.Personal Access Token: It is a long-lived token that users can generate to securely access the API without exposing their primary credentials.
To create a token through the user interface, see the Manage Personal Access Tokens guide.
To generate one via the API, use the Get Personal Access Tokens endpoint.