When sending API queries they must be made over HTTPS, and plain HTTP will be refused. You must include your X-App headers in all requests.
Access tokens are used in token-based authentication to allow an application to access an API. The application receives an access token after a user successfully authenticates and authorizes access, then passes the access token as a credential when it calls the target API. The passed token informs the API that the bearer of the token has been authorized to access the API and perform specific actions specified by the scope that was granted during authorization.
In such a setup, the security is supported through unique API Tokens, which are generated by the system and are assigned to a particular host. Each Token is token has following properties:
| Variable | Name | Type | Format | Usage | Description |
|---|---|---|---|---|---|
| client_id | Client Id | string | Client identifier issued to the client by the external system | ||
| client_secret | Client Secret | string | Client Secret issued to the client by the external system | ||
| grant_type | Grant Type | string | Grant type. Values: "client_credentials", "mfa_oob", "code", "password" | ||
| response_type | Response Type | string | Indicates that your server expects to receive an authorization code. Values: "access_token","code","sign_token" | ||
| scope | Scope of Access | string | Scope of access | ||
| state | State | string | Client server session id (to prevent MITM requests) |
{
"client_id": "backend_fin",
"client_secret": "secretkey",
"grant_type": "client_credentials",
"response_type": "access_token",
"scope": "REST:FULL",
"state": ""
}
Response access token
If this request is successful, the Authorization Server will authenticate the client, validate data, and will respond back with a JSON payload containing an access token, a refresh token, a token type set to bearer and an expiration time set to one hour.
| Variable | Name | Type | Format | Description |
|---|---|---|---|---|
| access_token | access_token | string | access token | |
| expires_in | expires_in | string | expiration time | |
| refresh_token | refresh_token | string | refresh token | |
| token_type | token_type | string | token type |
{
"access_token":"2YotnFZFEjr1zCsicMWpAA",
"refresh_token":"2YotnFZFEjr1zCsicMWpAA",
"token_type":"access_token",
"expires_in":3600
}
Definition of errors of issuing Access Token in the RFC6749 standard
This is completely vanilla as per the OAuth 2.0 standard specification.
An error response will specify the Content-Language of the response and have the Content-Type parameter set to application/json; charset=utf-8.
In addition, the Authorization Server includes the Cache-Control: no-store and Pragma: no-cache headers in order to prevent any intermediate cache servers from storing responses with any sensitive information.
| Variable | Name | Type | Format | Description |
|---|---|---|---|---|
| error | Error Code | string | Error code | |
| error_description | Error Description | string | Description of error |
{
"error": "unsupported_grant_type",
"error_description": "Unsupported grant type."
}