-
Notifications
You must be signed in to change notification settings - Fork 0
User Authorization
The merchant related endpoints are secured via OAuth2.
The idea behind the authorization system is to issue a temporary access token with a refresh token. The access and refresh tokens are set to expire after 5 minutes and 30 minutes respectively. The refresh token should be sent to the authorization server to renew the access token when expired.
The POST request should be sent to the /api/v1/oauth/token endpoint. The authorization header contains:
| Parameter Name | Description |
|---|---|
| Authorization: Basic | The basic authentication token that can be created with the Bearer base64(CLIENT_ID/CLIENT_PASSWORD). In Stash!'s case Dashboard Web Application is the client. |
The request body contains key-value pairs:
| Parameter Name | Description | Type | Required |
|---|---|---|---|
| grant_type | The value should be password
|
String | Yes |
| username | Username of the user who wants to access the related resource | String | Yes |
| password | Password of the user who wants to access the related resource | String | Yes |
| client_id | Client id of the application that requests access to the related resource | String | Yes |
The response body will contain:
| Parameter Name | Description | Type |
|---|---|---|
| access_token | The access token | String |
| token_type | This will be bearer
|
String |
| refresh_token | The refresh token | String |
| expires_in | This will have the value 299 seconds |
String |
| scope | This will be user
|
String |
| jti | Unique token identifier | String |
access_token must then be used as the value for basic authentication whenever needed in further calls.
The POST request should be sent to the /api/v1/oauth/token endpoint. The request body contains key-value pairs:
| Parameter Name | Description |
|---|---|
| Authorization: Basic | The basic authentication token that can be created with the Bearer base64(CLIENT_ID/CLIENT_PASSWORD). In Stash!'s case Dashboard Web Application is the client. |
The request body contains key/ value pairs:
| Parameter Name | Description | Type | Required |
|---|---|---|---|
| grant_type | The value should be refresh_token
|
String | Yes |
| client_id | Client id of the application that requests access to the related resource | String | Yes |
| refresh_token | Refresh token is the token received during the request access token call | String | Yes |