This section explains how to authenticate requests to Ubidots.

Every request sent to Ubidots requires a token. A token is a unique key that authorizes requests sent to Ubidots.

Tokens valid for 6 hours and can be generated using your account’s API Key. The API token is found under the My Profile section on More information about how to obtain your token.

There are two ways to send a token in a request:

  1. Sending the token in the Header (recommended):

  2. Sending the token as query parameter:

While sending your token as a query parameter might be more straightforward, we only advise doing so in prototyping stages as the token is visible and thus a lot less secure. For production stages, we strongly advise sending the token in the X-Auth-Token header.


Authentication without Header - Not Recommended!

While it is possible to send the authentication token as a query parameter, sparing the X-Auth-Token header, it is much less secure. Including a token -or any security credential- in a URL path will make it easily readable in router logs, browsers' history, and packet sniffers.

//Example Request to create a device with Token in the Header

curl -X POST '' \
 -H 'Content-Type: application/json' \
 -H 'X-Auth-Token: oaXBo6ODhIjPsusNRPUGIK4d72bc73' \
 -d '{}'
 //Example Request to GET all devices with Token sent as Query Parameter
 curl -X GET '' \