Authorization

Follow this guide to create a new Aha! credential that will allow Nexla to authenticate to and exchange data with your Aha! account.

Aha!

Prerequisites

The Aha! REST API supports two authentication methods, and the credentials required depend on which method best fits the integration scenario. Both methods require your Aha! account domain — the subdomain portion of your Aha! URL (for example, mycompany for https://mycompany.aha.io). Review the prerequisites for the relevant method below before creating a credential in Nexla.

Aha! recommends OAuth 2.0 when an application acts on behalf of an interactive user, because it avoids sharing account credentials with an external application. An API key is the best approach for service-to-service integrations that call Aha! outside the context of a user interaction — which is the typical pattern for a Nexla data flow.

API Key (Bearer Token)

An Aha! API key is tied to a specific user and account, and it grants access using that user's permissions. Multiple keys can be generated and revoked independently.

1. Sign in to your Aha! account at https://<your-subdomain>.aha.io.

2. Click your account settings, and select Personal to open your personal settings.

3. In the personal settings menu, click Developer.

4. On the Developer screen, click Generate API key.

5. Enter a descriptive name for the key (for example, "Nexla Integration"), and click Generate API key.

6. Copy the generated API key value, and store it securely. This value grants access to your Aha! account data using your permissions, so it should be treated like a password.

   Aha! displays the full API key value at generation time. Copy it immediately and store it in a secure secret manager — you will need to generate a new key if the value is lost. Keys can be revoked at any time from the same Developer screen.

For complete information about API key access, see the Aha! REST API documentation.

OAuth 2.0 (3-Legged)

OAuth 2.0 uses the standard authorization code (three-legged) flow, in which the authorizing Aha! user grants your registered application delegated access to their account. This method is recommended for applications that connect on behalf of interactive users.

1. Sign in to your Aha! account, and navigate to Personal settings, then click Developer.

2. On the Developer screen, switch to the OAuth applications tab, and click Register OAuth application.

3. Enter the requested application details, including the application name and the redirect URI.

   • Redirect URI: Set this to the Nexla OAuth callback URL shown in the Nexla credential overlay. The redirect URI registered with Aha! must exactly match the one used during the authorization and token-exchange steps.

4. After registering the application, copy the Client ID (Application ID) and Client Secret values, and store them securely. The Client Secret is shown only at registration time.

For complete information about the OAuth 2.0 flow and application registration, see the Aha! OAuth2 documentation.

Important

The API Key and Client Secret values grant access to Aha! account data. Store them in a secure secret manager, never commit them to source control, and rotate them immediately if you suspect they have been exposed.

Create an Aha! Credential

• To create a new Aha! credential, after selecting the data source/destination type, click the Add Credential tile to open the Add New Credential overlay.

Credential Name & Description

1. Enter a name for the credential in the Credential Name field and a short, meaningful description in the Credential Description field.

   Resource descriptions are recommended but are not required. They should be used to provide information about the resource purpose, data freshness, etc. that can help the owner and other users efficiently understand and utilize the resource.

Authentication Method

2. Select the authentication method that matches your Aha! setup, and complete the corresponding fields. Both methods require your Aha! Account Domain — the subdomain of your Aha! URL (for example, mycompany for https://mycompany.aha.io).

Aha! Authentication Methods

API Key (Bearer Token)

Authenticate using an Aha! API key passed as a Bearer token. Best suited for service-to-service integrations that call Aha! outside the context of an interactive user, which is the typical pattern for a Nexla data flow.

1. Enter your Aha! **Account Domain** in the **Account Domain** field. This is the subdomain of your Aha! URL — for example, enter `mycompany` for `https://mycompany.aha.io`.
2. Enter your Aha! **API Key** value in the **API Key Value** field. This value is generated from **Personal** settings > **Developer** > **Generate API key** in Aha! and is treated as a secret.

OAuth 2.0 (3-Legged)

Authenticate using a 3-legged OAuth 2.0 authorization code flow. Recommended for applications that connect on behalf of interactive Aha! users.

1. Enter your Aha! **Account Domain** in the **Account Domain** field. This value is used to build the authorization and token URLs (`https://.aha.io/oauth/authorize` and `https://.aha.io/oauth/token`).
2. Enter the **Client ID** issued for your registered Aha! OAuth application in the **Client ID** field.
3. Enter the **Client Secret** issued for your registered Aha! OAuth application in the **Client Secret** field.
4. Optionally, enter a space-separated list of permission scopes in the **Access Scope** field. Leave this blank to request the application's default access.
5. Click **Authorize** to launch the Aha! consent screen. Sign in to the Aha! account that will be connected, and approve access for your application.
6. After the consent screen is approved, Aha! redirects back to Nexla with an authorization code. Nexla automatically exchanges this code for an access token and refresh token, and stores the resulting tokens on the credential.

Save the Credential

1. Once all of the relevant steps in the above sections have been completed, click the Save button at the bottom of the overlay to save the configured credential.

2. The newly added credential will now appear in a tile on the Authenticate screen during data source/destination creation and can be selected for use with a new data source or destination.