How to authenticate

Short description

Example

POST https://integration.webtopsolutions.com/flow/authtoken

Body

grant_type=client_credentials&client_id=demo_client&client_secret=566gg61e-7859-4494-a6cd-0c51451sdc

Response example:

{
 "access_token": "XBNoMfVoaFIb4Af4FuHH5m_8V-0cuh9B5Z9hFe7lNmdbOrRf2y3...",
 "token_type": "bearer",
 "expires_in": 1200,
 "refresh_token": "CQB0QSbfrQzVsvrbu4FUpw1v-KXqkSfOGP-ZqKrgrLWKsPWV6HyP...",
 "refresh_token_expires_in": 608399
}

Response description

access_token
Proves that an user is authenticated, and is used as an identificator in backend Must be sent in all queries against Flow that requires authentication Sent as a header parameter

Authorization: Bearer XBNoMfVoaFIb4Af4FuHH5m_8V...

refresh_token
Can be used to retrieve a new access_token when access_token has expired as the refresh_token has a longer expiration time

POST /authtoken

Body

grant_type=refresh_token&client_id=myclient&refresh_token=v8jg5ohutgJP2efCSp9-HFpLBhdDt...

Response example

{
  "access_token": "XBNoMfVoaFIb4Af4FuHH5m_8V-0cuh9B5Z9hFe7lNmdbOrRf2y3...",
  "token_type": "bearer",
  "expires_in": 1200
}

Will give error when refresh_token has expired

{
  "error": "invalid_grant"
}

Then just reuse client credentials to fetch a new one.

For most purposes you can ignore the refresh token and just implement authentication using client credentials since your application has access to the client secret all the time.