Authentication

What this does

Every call to a Quik! REST API needs an OAuth2 access token. This page shows how to get your Master Credentials, generate a token from them, and use the token to authenticate your API calls.

Before you start

You need your Quik! API Master Credentials:

• Master UserID
• Master Username
• Master Password

These are different from your Quik! App login. They are issued for your account and used only for server-to-server API calls.

Where to find your Master Credentials

1. Log in to the Quik! App at https://quikformsapp.com.
2. Go to Admin Settings → API Credentials.
3. Your Master UserID, Master Username, and Master Password are listed there.

If your account is brand new and you don't see API Credentials, your Quik! representative or the onboarding team can help. Master Credentials are typically set up by Quik! at account creation.

A note on Master Credentials

Master Credentials are powerful. They authenticate calls that can read and modify everything in your account.

• Never share Master Credentials with end users. They are server-to-server credentials, not user logins.
• Never embed them in client-side code (browser JavaScript, mobile apps). Use them only on a server you control.
• Treat them like any other API secret. Store them in environment variables or a secrets manager. Rotate them if they're ever exposed.

Generate a token

Post your Master Credentials to the authentication endpoint:

POST https://websvcs.quikforms.com/rest_authentication/token
Content-Type: application/x-www-form-urlencoded

grant_type=password&username=<MasterUsername>&password=<MasterPassword>

A successful response includes the token, its type, how long it's good for, and a refresh token:

{
  "access_token": "gfD4QVol1ZF8EDBEyZG...",
  "token_type": "bearer",
  "expires_in": 86399,
  "refresh_token": "VbIW0Iip4jokW4..."
}

The expires_in value is how long the token is valid for, in seconds. Use this as the source of truth rather than hardcoding a duration in your application. Token lifetimes can change.

For the exact request and response schema, see the API reference.

Use the token

Include the access token in the Authorization header on every Quik! API call:

Authorization: Bearer <access_token>

That's the only auth header you need. Master Credentials themselves never travel in any call other than the initial token request.

When the token expires

A 401 Unauthorized response from any Quik! endpoint means the token is expired or invalid. Two options to recover:

Build your client to handle 401s gracefully: catch the error, refresh or regenerate, then retry the original call.

Pitfalls

• Don't put Master Credentials in client-side code. Browser apps and mobile apps should call your own server, which holds the credentials and issues short-lived tokens to the client. Master Credentials in a JavaScript bundle are effectively public.
• Don't reuse tokens past expires_in. Plan for token refresh in your code from the start. The expiration is in the response. Use it.
• Don't hardcode the token lifetime. Quik! may change token durations over time. Read expires_in from the response on every authentication call and use that value.
• One token can be used across multiple Quik! services depending on the token's scope and duration, but not always. If you hit a 401 partway through a workflow, refresh or regenerate rather than assuming it should keep working.
• End users should never have Master Credentials. If you need per-user behavior in your application, build that on top of your own user system. The Quik! API uses Master Credentials only.

Related articles

Continue with these articles to understand the related concepts and workflows:

• Introduction — Start with the high-level overview of how Quik! works.

• Library Subscription — Understand how authentication connects to the forms your account can access.

• Launch a Form — See how authentication fits into the form launch workflow.

• Connect DocuSign account — Learn how DocuSign credentials are connected for e-signature workflows.