OAuth Authorization

overview the oauth system allows for vendors to set up separate credentials for their company, customer accounts, customers or individual licenses each entity has a client id and client secret (which can be set to rotate automatically) these are used to obtain an access token from the oauth endpoint, to be used for access to license api endpoints (as an alternative to api key authorization docid\ lnlwu0yzltc1fnos9voqj ) vendors can enforce a company wide mandatory oauth rule instead of api keys obtaining an access token access tokens are short lived secret strings used to authorize a client request on the api to obtain an access token from the oauth system, perform the following request name request oauth token method post url https auth licensespring com realms user portal protocol openid connect token description generates an access token and returns an object containing the token and associated metadata tab examples examples languages id i37audwp1vwnvaxezzi7v language curl code curl location https auth licensespring com realms user portal protocol openid connect token n header content type application x www form urlencoded n data urlencode client id client id here n data urlencode client secret client secret here n data urlencode grant type client credentials customlabel selectedlanguageid i37audwp1vwnvaxezzi7v results languages id lcy ockwaqjhmvjvj4cu5 language 200 customlabel code n access token token string here n expires in 480 n refresh expires in 0 n token type bearer n not before policy 0 n scope profile email n id duvgzyragn08cj0px4ri language 401 code n error invalid client n error description invalid client or invalid client credentials n customlabel selectedlanguageid lcy ockwaqjhmvjvj4cu5 request pathparameters queryparameters headerparameters name content type kind required type string description must be application x www form urlencoded must be application x www form urlencoded bodydataparameters formdataparameters name grant type kind required type string description must be client credentials must be client credentials name client id kind required type string description client id client id name client secret kind required type string description client secret client secret currentnewparameter label form parameter value formdataparameters hastryitout false once the access token is retrieved, it is used as an authentication bearer value in license api requests the expires in property in the response states the access token's ttl in seconds from the moment the token was generated required headers each client request must include the following headers date current time given as a date string in rfc7231 format note that this value is always in the gmt timezone example date tue, 07 jun 2014 20 51 35 gmt authorization this header contains the access token examples authorization bearer token string here ensure that the date header value is set to current time the server allows timestamps that are up to 15 minutes old client access permissions client id secret pairs can be scoped for the following resources company provides access to all licenses belonging to the company customer account provides access to all licenses associated to a customer account customer provides access to all licenses associated to an individual customer license provides access to one specific license each client id string states the type of scope used, e g auth company 100123 , auth customeraccount 200234 , auth customer 300345 , auth license 1000456 errors in endpoints when calling a license api endpoint using the access token authorization, the system will return an error response if the access token is not valid all returned errors have an http status code of 400 or higher, and a response body as follows { status number, code string, message string } json schema { "$schema" "https //json schema org/draft/2020 12/schema", "type" "object", "properties" { "status" { "type" "number" }, "code" { "type" "string" }, "message" { "type" "string" } }, "required" \[ "status", "code", "message" ], "additionalproperties" false } the following errors related to access tokens can be returned in case oauth is enforced company wide and a request is being sent using an api key