Authentication Protocol
Client API consumers will authenticate against an OAuth2 endpoint exposed by the client API (see endpoint URLs below). The OAuth2 endpoint acts as the authorization server for your client and will provide the granted credentials for access to the API Endpoints. This Authorization API POST request will return a short-lived JSON Web Token that will be provided in calls to the application endpoints exposed by the API.
Production Authentication Endpoint
https://apxjwtauthprod.apx.com/oauth/tokenUAT Authentication Endpoint
https://apxjwtauthuat.apx.com/oauth/tokenHeaders
| Key | Value | Description |
|---|---|---|
| Authorization | Basic {client:secret} | The client:secret for the token request. This is Base64-encoded as standard for HTTP Basic Authentication. This value authorizes your software to access Xpansiv resources. |
| Content-Type | application/x-www-form-urlencoded | Indicates that the POST-ed content is URL-encoded. |
Parameters
These parameters must be POST-ed to the endpoint above as URL-encoded form data.
| Field | Description |
|---|---|
| Username | Client API Service User Name |
| Password | Client API Service Password |
| grant_type | Value: password. This is associated with the The OAuth 2.0 Authorization Framework password credentials scenario |
Results
| Field | Description |
|---|---|
| access_token | This is the token to be used in the “Bearer” value of the HTTP Authorization header in subsequent requests. |
| token_type | The type of the token to be used in the API Requests. |
| grant_type | Value: password. This is associated with the OAuth2 password credentials scenario. The value returned will be “bearer” |
| expires_in | Duration (in seconds) in which the token will expire and a subsequent authentication request will need to be made if time expires. |
| scope | The scope of the granted access. The value returned will be "access". |
Attempts to call application endpoints without a valid token will result in an HTTP error message being returned.
Status Codes
| HTTP Status Code | Status | Status Message |
|---|---|---|
| 200 | SUCCESS | Successfully authenticated |
| 401 | ERROR | Bad Request - Invalid Login ID or Password |
Get/Post Security
In order to successfully call into the APIs the below authorization header will need to be presented.
Headers
| Key | Value | Description |
|---|---|---|
| Authorization | Bearer {access_token} | The access_token that is returned from the authentication request will be inserted into the value field. |