LLM-ready API
Authentication

Authentication

The LLM-ready API supports three methods of authentication:

  1. Browser Login
  2. Refresh Token
  3. Public/Private Key

Email market.intelligence@spglobal.com to obtain LLM-ready API Okta credentials.

Browser Login

This method is not applicable when working on a remote machine without direct access to a browser window and is not advisable for use in production workflows.

Browser login is a convenient way to quickly get started using the LLM-ready API and is available in the kFinance Python Library by executing the following code:

client = Client()

A browser window will open prompting Okta sign-in with LLM-ready API Okta credentials. Use the email address associated with the trial credentials as the username.

Refresh Token

Refresh tokens expire after 7 days. This method is not advisable for use in production workflows.

Refresh tokens can be used for authentication in the Python Library and when making API calls directly.

See Kensho's general instructions for step-by-step guidance on obtaining a refresh token.

To authenticate with a refresh token:

  1. Navigate to LLM-ready API Manual Login (opens in a new tab)
  2. Log in with your LLM-ready API Okta credentials
  3. Copy the refresh token
  4. Use the refresh token to authenticate your API requests.
client = Client(refresh_token="your_refresh_token_here")

Public/Private Key

Public/Private keypair authentication is recommended when using Kensho APIs for production use cases. While it requires some additional setup, this method is the most secure and easy way to use Kensho APIs in the long term.

Authenticating with keys requires a number of steps:

  1. Generate a keypair.
  2. Send Kensho your public key.
  3. Obtain an access token.

Generating an RSA keypair

In this guide, we will use the OpenSSL (opens in a new tab) library, which is available on Unix systems (which includes Macs). First, open a terminal and generate a 2048-bit private key:

openssl genrsa -out private.pem 2048

Next, extract the public key:

openssl rsa -in private.pem -outform PEM -pubout -out public.pem

Send Kensho your public key

Important note

Do not send us your private key! While your public key and Client ID are not secret, your private key should not be shared outside of your organization.

Email support@kensho.com the following information:

  1. Your PEM encoded public key as an attachment.
  2. That you would like to be added to the users_kfinance group.

We will respond with your Client ID. You will need this ID in the following step. While typical response times are quick, please allow up to three business days for us to process your request.

Once you have obtained your public/private keypair, you can use it using the kFinance Python Library by executing the following code:

client = Client(client_id="your_client_id_here", private_key="your_private_key_here")

Obtaining an Access Token

Once Kensho has sent a Client ID, it can be used, in conjunction with the private key above, to generate a usable access token. Sample code to convert a Client ID and private.pem key file combination can be seen below.

Unlike with refresh tokens, access tokens generated through this method can have a custom expiration defined in the exp field and be up to 60 minutes maximum.

import jwt
import requests
import time
 
def get_access_token_from_key(client_id):
 
    PRIVATE_KEY_PATH = "private.pem"  # the location of your generated private key file
    with open(PRIVATE_KEY_PATH, "rb") as f:
        private_key = f.read()
 
    iat = int(time.time())
    encoded = jwt.encode(
        {
            "aud": "https://kensho.okta.com/oauth2/default/v1/token",
            "exp": iat + (30 * 60),  # expire in 30 minutes
            "iat": iat,
            "sub": client_id,
            "iss": client_id,
        },
        private_key,
        algorithm="RS256",
    )
    response = requests.post(
        "https://kensho.okta.com/oauth2/default/v1/token",
        headers={
            "Content-Type": "application/x-www-form-urlencoded",
            "Accept": "application/json",
        },
        data={
            "scope": "kensho:app:kfinance",
            "grant_type": "client_credentials",
            "client_assertion_type": "urn:ietf:params:oauth:client-assertion-type:jwt-bearer",
            "client_assertion": encoded,
        }
    )
    return response.json()["access_token"]
 
CLIENT_ID = ""  # paste your Client ID sent to you by Kensho inside the quotation marks
# Override the scope parameter if your application only needs access to select Kensho APIs
ACCESS_TOKEN = get_access_token_from_key(CLIENT_ID)