Fetch Access / Refresh Token POST

When sending API queries they must be made over HTTPS, and plain HTTP will be refused. You must include your X-App headers in all requests.

Access tokens are used in token-based authentication to allow an application to access an API. The application receives an access token after a user successfully authenticates and authorizes access, then passes the access token as a credential when it calls the target API. The passed token informs the API that the bearer of the token has been authorized to access the API and perform specific actions specified by the scope that was granted during authorization.

# ENDPOINT
/oauth/v2/token
# REQUEST BODY
Schema: accessTokenRequest

In such a setup, the security is supported through unique API Tokens, which are generated by the system and are assigned to a particular host. Each Token is token has following properties:

Type: object
Variable Name Type Format Usage Description
client_id Client Id string The client identifier issued to the client during the registration process
client_secret Client Secret string The application's Client Secret issued to the client during the registration process
grant_type Grant Type string Grant type. Values: "client_credentials", "mfa_oob", "code", "password"
response_type Response Type string Indicates that your server expects to receive an authorization code. Values: "access_token","code","sign_token"
scope Scope of Access string Scope of access
state State string Client server session id (to prevent MITM requests)
# REQUEST BODY EXAMPLE
							{
  "client_id": "backend_fin",
  "client_secret": "secretkey",
  "grant_type": "client_credentials",
  "response_type": "access_token",
  "scope": "REST:FULL",
  "state": ""
}						
# POSITIVE RESPONSE

Response access token

If this request is successful, the Authorization Server will authenticate the client, validate data, and will respond back with a JSON payload containing an access token, a refresh token, a token type set to bearer and an expiration time set to one hour.

Schema: accessTokenResponse
Type: application/json
Variable Name Type Format Description
access_token access_token string access token
expires_in expires_in string expiration time
refresh_token refresh_token string refresh token
token_type token_type string token type
# RESPONSE POSITIVE EXAMPLE
							{
	   "access_token":"2YotnFZFEjr1zCsicMWpAA",
	   "refresh_token":"2YotnFZFEjr1zCsicMWpAA",
	   "token_type":"access_token",
	   "expires_in":3600
 }						
# NEGATIVE RESPONSE

Definition of errors of issuing Access Token in the RFC6749 standard

This is completely vanilla as per the OAuth 2.0 standard specification.
An error response will specify the Content-Language of the response and have the Content-Type parameter set to application/json; charset=utf-8.
In addition, the Authorization Server includes the Cache-Control: no-store and Pragma: no-cache headers in order to prevent any intermediate cache servers from storing responses with any sensitive information.

 

Schema: accessTokenError
Type: application/json
Variable Name Type Format Description
error Error Code string Error code
error_description Error Description string Description of error
# RESPONSE NEGATIVE EXAMPLE
							{
	  "error": "unsupported_grant_type",
	  "error_description": "Unsupported grant type."
 }