Flows API
  • Globus Flows
  • Overview
  • Getting Started
    • How to Run a Flow
    • How to Monitor a Flow Run
    • How to Create a Flow
  • Authoring Flows
    • Introduction
    • Actions
    • Expressions
    • Choice States
    • Wait States
    • Fail States
    • Pass States
    • Protecting Secrets
    • Handling Exceptions
    • Performing Actions as Different Users
    • Run Context
    • Validating Flow Definitions
  • Authoring Input Schemas
  • Authentication and Authorization
  • Consents and Resuming Runs
  • Permissions
  • Limits
  • Hosted Action Providers
    • Hello World
    • Globus Search - Ingest Task
    • Globus Search - Delete Task
    • Send Notification Email
    • Wait For User Selection
    • Expression Evaluation
    • DataCite Mint
    • Transfer APs
    • Compute AP
  • Example Flows
    • Simple Transfer
    • Move (copy and delete) files
    • Transfer and Share Files
    • Two Stage Globus Transfer
    • Transfer After Approval
    • Looping Batched Move
    • Tar and Transfer with Globus Compute
Skip to main content
Globus Docs
  • Getting Started
    Getting Started

    Getting Started and Tutorial docs cover how to perform some activity or provide an introduction to a feature. They are not comprehensive, but help you get started with Globus or with new Globus features.

    • Users
    • Admins
    • Developers
  • Reference
    Reference
    • Service
      • Auth
      • Groups
      • Transfer
      • Timers
      • Flows
      • Compute
      • Search
    • Agents
      • Globus Connect Server
      • GCS CLI
      • Globus Connect Personal
      • Globus Compute
    • SDK
      • Python
      • JS
    • Clients
      • CLI
    • Security and Compliance
      • Product Security
      • Privacy
      • Solutions for Sensitive Data
      • FAQs
  • Solutions & Guides
    Solutions & Guides

    Find practical approaches for leveraging Globus in research environments, integrating with platforms, and building science gateways. Access hands-on guides, integration instructions, and real-world scenarios for advanced usage.

    • Portals/Science Gateways
    • Guides
  • Support
    Support

    Find answers to frequently asked questions, connect with the community by joining our mailing lists, or reach out directly to Globus support.

    • FAQs
    • Mailing Lists
    • Contact Us
    • Check Support Tickets
  • Site Search
  1. Home
  2. Globus Services
  3. Globus Flows
  4. Authentication and Authorization

Authentication and Authorization

All interactions with Globus Action Providers and Globus Flows are authenticated by Globus Auth.

Tokens provided by Globus Auth authenticate the user and provide limited authorization semantics. Roles established within the Globus Flows service provide richer authorization capabilities for flows and runs.

Authentication

Globus Flows APIs require the use of OAuth2 access tokens issued by Globus Auth unless stated otherwise.

Tokens must be requested with one or more of the Globus Flows scopes listed below, or for a scope associated with a specific flow.

Once obtained, the access token needs to be passed in the Authorization header with the method Bearer:

Authorization: Bearer <access_token>

For example, using curl:

curl -H "Authorization: Bearer $TOKEN" https://flows.automate.globus.org/

Service Scopes

The following scopes are those which belong to the Globus Flows service, giving tokens with these scopes capabilities to manipulate flows and runs.

Name Scope String Definition

all

https://auth.globus.org/scopes/eec9b274-0c81-4334-bdc2-54e90e689b9a/all

Grants all capabilities of the Flows service, except those which require a flow-specific scope

manage_flows

https://auth.globus.org/scopes/eec9b274-0c81-4334-bdc2-54e90e689b9a/manage_flows

Grants ability to manage flows

view_flows

https://auth.globus.org/scopes/eec9b274-0c81-4334-bdc2-54e90e689b9a/view_flows

Grants ability to view flows

run

https://auth.globus.org/scopes/eec9b274-0c81-4334-bdc2-54e90e689b9a/run

Grants ability to run flows.

CAUTION: This scope only supports basic flows with no external action references. Most flows will require the use of Flow Scopes

run_status

https://auth.globus.org/scopes/eec9b274-0c81-4334-bdc2-54e90e689b9a/run_status

Grants ability to check the status of runs

run_manage

https://auth.globus.org/scopes/eec9b274-0c81-4334-bdc2-54e90e689b9a/run_manage

Grants ability to manage runs

Flow Scopes

In addition to the service scopes, each flow has its own scope which is named based on the flow ID.

These scopes can be requested from the flow itself or via a supported Globus SDK.

For example, to get the scope for a flow with ID f1b4c6c0-6b2d-11e9-bd8c-0a06afd4a22e using an authenticated curl and the jq tool:

curl -s -H "Authorization: Bearer $TOKEN" \
    "https://flows.automate.globus.org/flows/f1b4c6c0-6b2d-11e9-bd8c-0a06afd4a22e" \
    | jq -r '.globus_auth_scope'

Or via the globus CLI:

globus flows show "f1b4c6c0-6b2d-11e9-bd8c-0a06afd4a22e" \
    --jmespath 'globus_auth_scope' -Funix

The flow's specific scope is used to start runs of the flow.

  • Globus Flows
  • Overview
  • Getting Started
    • How to Run a Flow
    • How to Monitor a Flow Run
    • How to Create a Flow
  • Authoring Flows
    • Introduction
    • Actions
    • Expressions
    • Choice States
    • Wait States
    • Fail States
    • Pass States
    • Protecting Secrets
    • Handling Exceptions
    • Performing Actions as Different Users
    • Run Context
    • Validating Flow Definitions
  • Authoring Input Schemas
  • Authentication and Authorization
  • Consents and Resuming Runs
  • Permissions
  • Limits
  • Hosted Action Providers
    • Hello World
    • Globus Search - Ingest Task
    • Globus Search - Delete Task
    • Send Notification Email
    • Wait For User Selection
    • Expression Evaluation
    • DataCite Mint
    • Transfer APs
    • Compute AP
  • Example Flows
    • Simple Transfer
    • Move (copy and delete) files
    • Transfer and Share Files
    • Two Stage Globus Transfer
    • Transfer After Approval
    • Looping Batched Move
    • Tar and Transfer with Globus Compute
© 2010- The University of Chicago Legal Privacy Accessibility