Skip to content

Authorization

This section provides definitions of the structure and content of the Sinch Authentication 365 authorization service method.

Note

It is recommended to store this access token, so that there is no requirement of generating the access token every time an API call is made. Unless the access token expires, in that case, the access token should be requested again using the same clientID & secret or by using refresh_token.

1. Getting access_token from api_key and api_secret

This request will return a bearer token to the user, which will then have to be added to the header of each request to authorize the user to execute this endpoint:

<Auth365 oAuth Token Request> ::= basic Auth 
<username> ::= <Integer Literal>
<password> ::= <Integer Literal>

Where:

Property Description
Username The api_key (or appCode) which a client can generate from the Manage API keys page on the Authentication 365 UI
Password The secret key that protects the username for authorization. This refers to the corresponding api_secret generated on the Manage API Keys page on the Authentication 365 UI.

<Auth365 oAuth Token Response> ::=
  <access_token> ::= <String Literal>
<refresh_token>  ::= <String Literal>
<expiration_time> ::= <Integer Literal>
Where:

Property Description
access_token Token Authorization token, used to give permission for the subsequent requests to be called, will always be added to the header of the request
refresh_token Can be used to request a new <access_token> without using the user and password again.
expiration_time Is how long the token is valid for.

Content-Type: application/x-www-form-urlencoded

Body

{
    "grant_type":client_credentials
}

Response

{
    "access_token": "<oAuth token>",
    "refresh_token": "<refresh_token>",
    "expiration_time": <expiration_time>,
}

2. Getting access_token from refresh_token

In this technique, if refresh_token is already available, then it can be used to fetch a fresh access_token, instead of using the client credentials every time. This request doesn’t require any request body; the refresh token is sent through headers. Following header is required for this approach.

<Auth365 oAuth Token Request Header> ::= 
<grant_type> ::= <String Literal>
<refresh_token>  ::= <String Literal>

Header

Content-Type: application/x-www-form-urlencoded

Body

{ 
    "grant_type": "refresh_token",
    "refresh_token": "<refresh_token>"
}

Response

{
    "access_token": "<oAuth token>",
    "refresh_token": "<refresh_token>",
    "expiration_time": <expiration_time>,
}

Note

It is recommended to store this access token, so that there is no requirement of generating the access token every time an API call is made. Unless the access token expires, in that case, the access token should be requested again using the same username & password or by using refresh_token.