Skip to main content

Authentication

The Data API uses short-lived session tokens. You log in once with account credentials, receive a token, send that token as a bearer header on every call, and log out when you are done. Tokens expire after 15 minutes of inactivity; every successful call resets the clock.

Before you start

The account you authenticate with must:

  • exist in the hosted FileMaker file (not in the FileMaker Server administration console),
  • belong to a privilege set with the fmrest extended privilege enabled, and
  • have access to the layouts you plan to call.

Create a dedicated API account with the narrowest privilege set that works. Do not use a developer's full-access account for an integration.

Log in

Send a POST to the sessions endpoint with HTTP Basic credentials and an empty JSON body.

curl -sS -X POST \
"https://fms.example.com/fmi/data/v1/databases/Inventory/sessions" \
-H "Content-Type: application/json" \
-u "api_user:REPLACE_WITH_PASSWORD" \
-d "{}"

A successful login returns HTTP 200 with the token in the body (and also in the X-FM-Data-Access-Token response header):

{
"response": { "token": "823c0f48bb80f2187bde6f3859dabd4dcf8ea43be420dfeadf34" },
"messages": [{ "code": "0", "message": "OK" }]
}

Wrong credentials return HTTP 401 with FileMaker code 212. Valid credentials that fail anyway usually mean the privilege set is missing the fmrest extended privilege; see Errors.

Use the token

Every subsequent call sends the token as a bearer header:

curl -sS \
"https://fms.example.com/fmi/data/v1/databases/Inventory/layouts/Products/records?_limit=5" \
-H "Authorization: Bearer 823c0f48bb80f2187bde6f3859dabd4dcf8ea43be420dfeadf34"

Log out

Send a DELETE with the token in the URL path. This is the one endpoint that does not use the Authorization header, and it is the most common integration mistake in this API.

curl -sS -X DELETE \
"https://fms.example.com/fmi/data/v1/databases/Inventory/sessions/823c0f48bb80f2187bde6f3859dabd4dcf8ea43be420dfeadf34"

Log out when your work is done instead of letting tokens time out. FileMaker Server holds resources per open session, and orphaned sessions count against concurrent connection limits.

Session strategy for real integrations

  • Reuse one token per worker. Log in once, run many calls, log out. Logging in per request roughly doubles your call volume and slows everything down.
  • Handle expiry as a normal event. Any call can return HTTP 401 with code 952 after an idle period. Re-authenticate once and retry the original request, then fail loudly if it happens again.
  • Never log tokens. Treat them like passwords. Log the last four characters if you need to correlate sessions.
  • Always use HTTPS. The API sends credentials as Basic auth on login; plain HTTP would expose them.