Information for: DEVELOPERS   PARTNERS

Cloud API v2 authentication

All Acquia Cloud API v2 calls require authentication to work. The information on this page is applicable only for Cloud API version 2.


For information about authenticating with Cloud API version 1 (v1), see Cloud API v1 authentication.


HMAC authentication is deprecated and will be removed from Cloud API version 2 on April 15, 2020.

Generating an API token

To generate an API token for authenticating with the Acquia Cloud API v2, complete the following steps:

  1. Sign in to Acquia Cloud using your email address and Acquia password.

  2. Click your user avatar in the upper right corner, and then click Account Settings.

    Edit your profile

  3. On the Profile page, click API Tokens.

  4. Provide a human-readable label for your API token, and click Create Token.

    Acquia Cloud will generate an API Key and API secret for you.


    The API token will expire 300 seconds (or 5 minutes) after you generate it and must be regenerated before then.

  5. Record a copy of your API Key and API secret, as you can’t retrieve them after closing your browser tab.

You can remove a token at any time by clicking Remove next to the token you want to remove.

Generating tokens with a curl request

If you generate an API token with a curl request, instead of the Acquia Cloud user interface, Acquia recommends passing the data with a --data-urlencode parameter instead of a --data parameter to prevent incorrect encoding of non-alphanumeric characters, similar to the following example:

curl --data-urlencode "client_id=API_KEY" --data-urlencode "client_secret=API_SECRET" --data-urlencode "grant_type=client_credentials"

Authenticating in Cloud API RESTful interface calls

Each Cloud API call authenticates requests with OAuth 2.0 client credentials, and requires the information provided when generating an API token.

The Client ID and Secret are exchanged for a bearer access token, which authenticates calls to the Acquia Cloud API.


Run composer require league/oauth2-client, and then download an example authentication script.

Authenticating from a browser

Acquia Cloud API v2 also implements Cross-origin resource sharing (CORS), enabling you to implement authentication in browser-based clients when using Acquia’s supported API tokens. Requests should use the Access-Control-Allow-Origin header for identification.