OAuth2 access tokens
The Pryon APIs are authenticated with OAuth2 based JSON Web Token (JWT) based access tokens. Access tokens are end user tokens retrieved from an OpenID Connect or a machine-to-machine client ID authentication flow.
The tenant (organization) for a customer is associated with an identity that is federated through the identity provider during log in. This service retrieves user tokens (single sign-on for UI applications and machine tokens for server applications).
OAuth2 Client_Credential flow
OAuth2 token APIs use service key requests to obtain a set of service account credentials. User flow is handled with the Implicit or Code flows defined by OAuth2.
Details can be found in the IETF OAuth 2.0 Authorization Framework.
Token request
Request Parameter | Description | Value |
grant_type | OAuth2 grant type | client_credentials |
audience | OAuth2 target for the token request | https://pryon/api |
client_id | Unique identifier for the API user | Supplied by Pryon |
client_secret | Password | Supplied by Pryon |
#!/bin/bash
# Example Machine-2-Machine token request based on the client_credentials grant type.
curl --request POST --url https://login.pryon.net/oauth/token
--header 'content-type: application/json'
--data '{
"client_id": "{IdpClientId}",
"client_secret": "{IdpClientSecret}",
"audience": "https://pryon/api",
"grant_type": "client_credentials",
}'
Token response
Response Parameter | Description | Value |
access_token | Grants bearer authorization to the APIs | aapUMkd...AHA |
token_type | The audience of the token (bearer) | Bearer |
expires_in | Expiration time of the access token in seconds (default is 86400 = 24hr) | 86400 |
{
"access_token":"aapUMkd...AHA",
"token_type": "Bearer",
"expires_in": 86400,
}
Token reuse
For server applications, we recommend retaining server tokens and reusing them over their available lifetime (as specified by the expires_in response value). Tokens are typically valid for 24 hours and reuse eliminates the overhead of requesting new tokens on each API call request.