1. Authentication
To ensure security in every interaction with the API Platform, we use the OAuth 2.0 standard for request authentication. Below are the key steps to authenticate correctly.
Step 1: Obtain the Access Tokenโ
Each client must request an access token using their client_id and client_secret through Basic Authentication.
The request is made through the following endpoint:
Request type: POST
Endpoint: baseUrl/oauth2/token
The request body must be of type application/x-www-form-urlencoded and include only the following parameters:
Example request body:
grant_type: client_credentials
scope: test/full_access
Important: client_id and client_secret are not sent in the body; they are sent through Basic Authentication in the Authorization header.
Using Basic Authenticationโ
To send the authentication request, the client_id and client_secret values must be concatenated in the format:
client_id:client_secret
This value must be Base64 encoded and sent in the Authorization header:
Authorization: Basic {Base64(client_id:client_secret)}
Using the scope parameterโ
In test environments, the value of scope should be test/full_access.
Step 2: Authenticate Requestsโ
Once you obtain the token, it must be included in the header of each authenticated request. The header must have the following format:
Authorization: Bearer {access_token}
This ensures that all requests are validated and authenticated by the server.
Step 3: Token Renewalโ
Access tokens have a limited validity period. When it expires, you must make a new request to obtain an updated token.
Remember to keep your credentials secure and renew the token before it expires to avoid service interruptions.
Example with cURLโ
curl --location 'baseUrl/oauth2/token' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--header 'Authorization: Basic Base64(client_id:client_secret)' \
--data-urlencode 'scope=test/full_access' \
--data-urlencode 'grant_type=client_credentials'
Useful Linksโ
The returned JWT is valid for 1 hour (3600 seconds).
