Authentication
Last updated

Authentication

Authentication is done via OAuth2 using client credentials. This is a method primarily used for server-to-server communication where the user context is not required. This OAuth2 flow is particularly useful for allowing applications to securely interact with an API without user intervention. Here's how it works:

  1. Client Registration: Before any authentication can take place, the application (client) must be registered with the OAuth2 provider (authorization server). During registration, the client is assigned a unique client ID and a client secret. These credentials are used to authenticate the client during the OAuth2 flow. You will be provided these by the api support team apisupport@resharmonics.com.

  2. Token Request: To authenticate, the client sends a request to the OAuth2 provider’s token endpoint. This request includes the client ID, client secret, and the grant type, which is specified as client_credentials, see Get Access Token.

  3. Token Response: If the credentials are valid, the OAuth2 provider responds with an access token. This token is a bearer token, which means that whoever possesses the token has the authorization it grants. The response usually includes the type of token, its expiration time, and any other relevant information.

  4. Accessing the API: The client uses the received access token to make API requests. The token is included in the HTTP headers of each request, typically as an Authorization header with the format Authorization: Bearer . This tells the API that the request is authenticated and should be allowed if the token is valid.

  5. Token Expiration and Renewal: Access tokens have a limited lifespan for security reasons. Once an access token expires, it cannot be used anymore. The client must request a new access token from the OAuth2 provider using the same client credentials if continued access is needed.

If a token is expires you receive the reponse code 401

{
    "message": "The incoming token has expired"
}

This flow is particularly suited for background services or automated tasks where human interaction is not feasible or necessary. It provides a robust mechanism for authenticating API access without exposing user credentials after the initial registration.

Previous page
Next page