Authentication
The LLM-ready API supports three methods of authentication:
Email market.intelligence@spglobal.com to obtain LLM-ready API Okta credentials.
Browser Login
This method is not applicable when working on a remote machine without direct access to a browser window and is not advisable for use in production workflows.
Browser login is a convenient way to quickly get started using the LLM-ready API and is available in the kFinance Python Library by executing the following code:
client = Client()
A browser window will open prompting Okta sign-in with LLM-ready API Okta credentials. Use the email address associated with the trial credentials as the username.
Refresh Token
Refresh tokens expire after 7 days. This method is not advisable for use in production workflows.
Refresh tokens can be used for authentication in the Python Library and when making API calls directly.
See Kensho's general instructions for step-by-step guidance on obtaining a refresh token.
To authenticate with a refresh token:
- Navigate to LLM-ready API Manual Login (opens in a new tab)
- Log in with your LLM-ready API Okta credentials
- Copy the refresh token
- Use the refresh token to authenticate your API requests.
client = Client(refresh_token="your_refresh_token_here")
Public/Private Key
Public/Private keypair authentication is recommended when using Kensho APIs for production use cases. While it requires some additional setup, this method is the most secure and easy way to use Kensho APIs in the long term.
Authenticating with keys requires a number of steps:
Generating an RSA keypair
In this guide, we will use the OpenSSL (opens in a new tab) library, which is available on Unix systems (which includes Macs). First, open a terminal and generate a 2048-bit private key:
openssl genrsa -out private.pem 2048
Next, extract the public key:
openssl rsa -in private.pem -outform PEM -pubout -out public.pem
Send Kensho your public key
Important note
Do not send us your private key! While your public key and Client ID
are not secret, your
private key should not be shared outside of your organization.
Email support@kensho.com the following information:
- Your PEM encoded public key as an attachment.
- That you would like to be added to the
users_kfinance
group.
We will respond with your Client ID
. You will need this ID in the following step. While typical
response times are quick, please allow up to three business days for us to process your request.
Once you have obtained your public/private keypair, you can use it using the kFinance Python Library by executing the following code:
client = Client(client_id="your_client_id_here", private_key="your_private_key_here")
Obtaining an Access Token
Once Kensho has sent a Client ID
, it can be used, in conjunction with the private key above, to generate
a usable access token. Sample code to convert a Client ID
and private.pem
key file combination can be
seen below.
Unlike with refresh tokens, access tokens generated through this method can have a custom expiration defined
in the exp
field and be up to 60 minutes maximum.
import jwt
import requests
import time
def get_access_token_from_key(client_id):
PRIVATE_KEY_PATH = "private.pem" # the location of your generated private key file
with open(PRIVATE_KEY_PATH, "rb") as f:
private_key = f.read()
iat = int(time.time())
encoded = jwt.encode(
{
"aud": "https://kensho.okta.com/oauth2/default/v1/token",
"exp": iat + (30 * 60), # expire in 30 minutes
"iat": iat,
"sub": client_id,
"iss": client_id,
},
private_key,
algorithm="RS256",
)
response = requests.post(
"https://kensho.okta.com/oauth2/default/v1/token",
headers={
"Content-Type": "application/x-www-form-urlencoded",
"Accept": "application/json",
},
data={
"scope": "kensho:app:kfinance",
"grant_type": "client_credentials",
"client_assertion_type": "urn:ietf:params:oauth:client-assertion-type:jwt-bearer",
"client_assertion": encoded,
}
)
return response.json()["access_token"]
CLIENT_ID = "" # paste your Client ID sent to you by Kensho inside the quotation marks
# Override the scope parameter if your application only needs access to select Kensho APIs
ACCESS_TOKEN = get_access_token_from_key(CLIENT_ID)