# Authentication

All endpoints in the API are protected behind an authentication system, except for the endpoint to create an authentication token.

# Create token

https://customdomain.com/api/oauth/token

• Method: POST
• Body: grant_type=client_credentials
• Headers:
  • Authorization: Basic base64Encoded(clientId:clientSecret)
  • Content-Type: application/x-www-form-urlencoded

We implement the OAuth spec with the client_credentials grant type (check the specification for more details).

Upon requesting access to the API, you'll receive a client_id and a client_secret, which will be used to create an access token. Those credentials will be included in the Authorization header, using Basic type, concatenated and base64 encoded, as specified in https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Authorization#Directives.

For example, for a client_id = "CLIENT_ID" and a client_secret = "CLIENT_SECRET", the resulting string would be base64Encode("CLIENT_ID:CLIENT_SECRET") = "Q0xJRU5UX0lEOkNMSUVOVF9TRUNSRVQ".

The resulting token will have an expiration of one hour, upon which a new one needs to be created. The value for expires_in is displayed in seconds.

# Example request

POST /api/oauth/token HTTP/1.1
Host: customdomain.com
Authorization: Basic Q0xJRU5UX0lEOkNMSUVOVF9TRUNSRVQ
Content-Type: application/x-www-form-urlencoded

grant_type=client_credentials

# Response

{
  "access_token": "2YotnFZFEjr1zCsicMWpAA",
  "token_type": "Bearer",
  "expires_in": 3600
}

# Errors

The possible error codes for this endpoint are listed in the specification: https://tools.ietf.org/html/rfc6749#section-5.2

# Authenticate requests

After successfully creating an access token, it can be included in the Authorization header, using Bearer type, for authenticating requests to the API.