Authentication and secure access

Don't forget to check out our JSON RESTful APIs, they can help you utilize and extend Quickbase with ease.


Once you've authenticated as a Quickbase user, you can invoke API calls to access Quickbase data. Depending on how your app and account are set up, you may be required to supply the following with each API call:

  • An authentication ticket or user token – to authenticate yourself to Quickbase. The user token is an alternate means of authentication for APIs and automation that is generally more secure and convenient. Upon receiving the API call, Quickbase examines the authentication and application token you provided.
  • An application token for the app that the API call will access – some apps require an application token to be provided in addition to a means of authentication. An application token is an extra string of characters used to verify that access to a Quickbase application is authorized.
  • Authenticating with a ticket: If the ticket is valid, the API call is allowed to proceed. If the app also requires an application token, that is also checked before the API call can proceed.
  • Authenticating with a user token: If you authenticate yourself to Quickbase with a user token, no application token is needed, even if one is assigned to the app you’re accessing. The user token can be assigned to one or more apps, and provides built-in security that ticket authentication does not. However, user tokens are not allowed for all API calls.

About the authentication ticket

When you authenticate a user using API_Authenticate, Quickbase returns an authentication ticket in these two formats:

  • a browser cookie--If you are using a web browser to access Quickbase, Quickbase uses the ticket cookie returned by the API_Authenticate call to authenticate users. If you are using a browser and have enabled cookies, Quickbase continues to use the cookie after the user has authenticated; you need not supply the cookie with each API call after you've authenticated the user with API_Authenticate.

  • an XML representation of the ticket for inclusion in subsequent API calls--If you are NOT accessing Quickbase using a web browser or you've not enabled cookies, you must supply the XML representation of the ticket in each API call. (Do NOT hard code the username and password parameter and their values in your request, even if you are using https.)

By default, the ticket is valid for 12 hours. You can change this default in the API_Authenticate call; you can set the duration of the ticket's validity from one hour to several days.

Note: API_Authenticate calls have a maximum time limit of 4,380 hours, or approximately 6 months. This applies to new tickets initiated on or after January 21, 2018.

Many API calls that use a ticket can instead take the usertoken parameter. You can still use the ticket method if you prefer. The usertoken parameter can be used with any API that doesn't post to a db/main URL, and also with API_GrantedDBs.

Supplying the authentication ticket and application or user tokens in API calls

The following table describes when you need to supply the authentication ticket, application token, or user token. It assumes you've already authenticated the user using API_Authenticate (or are using a user token).

Are you accessing Quickbase via a web browser (can you rely on cookies)?Are application OR USER tokens required?You must supply the following in each API call:



The application token only.

You need not supply the authentication ticket explicitly; the authentication ticket is supplied automatically by the cookie.



The authentication ticket, application token, or user token



Neither the authentication ticket, application token, or user token. The app or user token is not required, and, if you are using a web browser, the authentication ticket will be supplied automatically.



The authentication ticket or user token

Related Topics: