Callout Authenticator

Authenticates a client by calling out to a REST service to validate a token found in the request and then getting information about the user. Use this policy as an alternative to the other authentication methods.

Policy Execution Order

The Callout Authenticator policy executes after early stage request validation policies, like IP Restriction.

Authentication Policy Requirement

All Authentication policies require the Authorize By Role policy to authenticate the API caller correctly. For example, you can configure this policy to add the role “admin” to the client and then configure the Authorize By Role policy to authorize users with that role.

Expression Enabled Fields in API Policies

All expression enabled fields take expressions from the SnapLogic Expression Language and the API Policy Manager functions.

Parameter NameDescriptionDefault ValueExample
LabelRequired. The name for the API policy.Callout AuthenticatorMy_Auth

When this policy should be applied

An expression enabled field that determines the condition to be fulfilled for the API policy to execute.

For example, if the value in this field is request.method == "POST", the API policy is executed only if the request method is a POST.

N/Arequest.method == "POST"

Extract into $token

Required. Specifies the location to find the key in the request. If one of the given locations is not found, this API policy will pass the request through to the next API policy.


Custom Header Keys

The names of the headers that can contain the key. If more than one header is given, they will all be checked. Click + to add more custom header keys.

KeyThe name of the custom header key.N/AX-Token

Custom Query String Parameters

The names of the query parameters that can contain the key. If more than one name is given, they will all be checked. Click + to add more custom query string parameters.

KeyThe name of the custom query string parameter.N/Atoken

Authorization Header Type

If the key is in the Authorization header, this value is used as the “type” to check.


Callout Request #1-2

Required. These sections describe the HTTP GET requests this API policy should make to validate the token and get information about a user.

Client Request #2 is optional.



Target Path

The location to store the result of the request in the working object, as a JSON-Path.

If you leave this field blank, the URL is not called.


The destination for the request.


Query Parameters

The query parameters to add into the URL. Click + to add more query parameters.




The headers to include in the request. Click + to add more headers.

Response Handler

Specifies how the request's response must be handled. 


Extract User Info

Required. Specifies how to extract information about the user from the working object.


User ID Expression

An expression that returns a string to be used as the user ID.


Roles Expression

An expression that returns the list of roles this user is in.

N/A$ =>

Time-To-Live in Seconds

Required. The number of seconds for which the token is valid for before it is re-validated.

600 (10 minutes)700
StatusSpecifies whether the API policy is enabled or disabled. EnabledDisabled