Advanced Dynamic Authentication
Use this guide to handle complex, multi-step credential lifecycles, such as token generation and automatic refresh patterns. This configuration establishes a background loop that logs in to an identity service, passes the temporary token to your endpoints, intercepts token expiration errors, and triggers automatic refreshes.
How the dynamic token lifecycle works
The platform manages temporary tokens using an automated three-part background loop. Understanding this cycle helps you map connector actions to your API configuration:
- Authentication Request. The platform requests a short-lived token using your credentials or a refresh token.
- Token Injection. The platform stores the token in a dynamic context variable and injects it into outbound business requests.
- Error Interception. When the token expires and causes a failure, the platform captures the error, requests a new token, and automatically retries your original request.
Detailed token exchange and refresh sequence
The sequence below describes how the platform coordinates token requests, resource access, and expiration recovery with external identity and resource servers:
- Access token request. The platform makes an initial API call to request an access token by authenticating with the authorization server and presenting an authorization grant (such as a user name and password, organization key, or API key and secret).
- Access token issuance. The authorization server authenticates the platform and validates the authorization grant. If the grant is valid, the server issues an access token and, if requested, a refresh token.
- Protected resource request. The platform makes a request to the protected resource server by presenting the access token.
- Resource server response. The resource server validates the access token. If the token is valid, the server processes the request.
- Request repetition. The request and validation steps repeat until the access token expires. If the platform detects that the access token has expired before sending a request, it skips to the refresh request (step 7); otherwise, it sends another protected resource request.
- Token expiration error. If an expired access token reaches the resource server, the resource server validates the token, identifies it as invalid, and returns an invalid token error.
- Refresh token presentation. The platform requests a new access token by authenticating against the authorization server and presenting the refresh token instead of the original credentials. The specific authentication requirements depend on the client type and the authorization server policies.
- New access token issuance. The authorization server authenticates the platform and validates the refresh token. If the refresh token is valid, the server issues a new access token and optionally generates a new refresh token.
Step 1: Get the security context
You must define the login request that generates temporary access and refresh tokens.
First create the authenticate client action:
-
In your REST app configuration page, locate the Authenticate client connector action field and select the + icon.
- Complete the mandatory fields in the Connector general tab: Name, Description, Category, Is Active.
- Click Save, and click the Connector steps tab.
- Click Create task and choose Authenticate Client.
Define the Authenticate Client integration task
- In the General tab, enter a clear, descriptive name (for example, Authorize Action).
- Select the matching Connector Code from the dropdown.
- Select Save.
Click the Request tab and configure the request.
If you want to authorize subsequent REST API calls using refresh tokens instead of using credentials, you can do so by selecting Use refresh token pattern and then configuring the authentication call following the steps below. If you don't want to use refresh tokens, do not select Use refresh token pattern and follow only steps 1 and 2.
Step 1. Configure the main authentication call request (Authenticate Client Request)
Druid makes an initial API call (main authentication call) and requests an access token by authenticating with the authorization server and presenting an authorization grant (user name & password or organization key, API key & API Secret, etc.).
To configure the main authentication call, click the Authenticate Client Request. If you are not using the refresh token pattern, the tab displays by default.
Make a request to your authentication endpoint (as required by the API). Set the Parameters, Headers or Body with the values appropriate to your authentication API. Use integration context variables to securely refer credentials, like username, API keys, passwords etc., using the “@” symbol.
Step 2. Configure the response of the main authentication call (Authenticate Client Request)
The authorization server authenticates the client and validates the authorization grant, and if valid, issues an access token and (if requested) a refresh token.
To configure the response of the main authentication call, click the Response tab. Click the Authenticate Client Request tab. If you are not using the refresh token pattern, the tab displays by default. Map the received access token / key within a variable. This new variable (e.g., @ApiToken) is automatically defined by simply mentioning it in the response mapping table; there is no need to define it somewhere else.
If you're using the refresh token pattern, in the response mapping table, edit the first table entry by mentioning the Connector field name that holds the refresh token. Druid Connector will store the refresh token in a dedicated asset storage and will automatically set the value of the refresh token at runtime, when needed. That is why the first row in the mapping table is generated automatically, cannot be deleted and is mandatory to be filled in (in Connector field name) for this pattern.
If the token is returned as a string, in the Connector field type, specify text. You should let the Connector field name field empty.
Step 3. Configure the refresh token request
Druid requests a new access token by authenticating with the authorization server and presenting the refresh token.
To configure the refresh token request, click the Request tab, then click the Refresh Token Request tab.
Configure a request to your refresh token endpoint (or authentication endpoint as required by the API). Set the Parameters, Headers or Body with the values appropriate to your refresh token API.
In the mapping table, click the Edit icon displayed in line with the first row and in the Connector field name field, provide the name of the field indicated by the API endpoint where Druid will automatically set at runtime the refresh token obtained after executing the first authorization call (step 2). This way all API calls will be authorized using the refresh token instead of the access token.
Step 4. Configure the refresh token response
The authorization server authenticates Druid and validates the refresh token, and if valid, issues a new access token (optionally, as per authorization server policy, generates a new refresh token as well).
To configure the refresh token response, click the Response tab, then click the Refresh Token Response tab.
Map the access token / key within a variable. This new variable (e.g., @ApiToken) is automatically defined by simply mentioning it in the response mapping table; there is no need to define it somewhere else. Use the variable you use in general to hold the access token.
If Authorization Server also returns a new refresh token, select Response contains a new Refresh Token and in the response mapping table, edit the first table entry by mentioning the Connector field name that holds the new refresh token. Druid Connector will automatically set the new value of the refresh token at runtime (the value of the refresh token obtained after executing the first authorization call).
Click the Save & Close twice to save the integration task and the connection action.
Select the connector action for getting the security context
Go to Solution Contents > Apps and click on the REST connector app you want to configure. From the Authenticate client connector action dropdown, select the call for getting the security token.
Click the Save button to save the connector configuration.
Step 2: Define authorization template for all API calls
Once you capture the dynamic token in Step 1, you must tell the connector how to apply it to all subsequent integration calls.
Create and configure an Authorize request connector action by following the procedure in the Standard API Authentication Guide. In the authorization header or Body mapping table, map the dynamic token variable name declared in the response map of Step 2.
Select the connector action for API calls authorization.
Step 3: Set responses when authentication is required
You must configure the platform to detect an expired session token so it knows when to trigger the automatic re-authentication loop.
Create the error interception task
In the REST app configuration page, locate the Check not authenticated connector action field and click the + icon.
Complete the mandatory fields in the Connector general tab: Name, Description, Category, Is Active.
Select Save, and then open the ConnectorSteps tab.
Enter a suggestive description and click Save.
Define unauthenticated triggers
Open the Response tab and define how the platform identifies an expired session using one of these strategies:
-
HTTP status codes: Select the target error code (typically 401: Unauthorized) from the HttpStatusCode drop-down field.
-
Custom response body: If the API provider returns an HTTP 200 success code but describes authentication failures inside a custom JSON payload, select the Body sub-tab and input the failure JSON schema condition.
Select Save & Close twice.
Link the error interception action to the connector app
- On the app configuration page, locate the Check not authenticated connector action dropdown.
- Select the newly created error interception integration task.
- Click Save & Close to save the app.














