Our API endpoints (and your license records) are protected assets. Let's use a standard OAuth2 client credentials grant with your new API Key to request a short-lived access token and a longer-lived refresh token.
For the curious folk, we use JWTs to decentralize validation to the microservice layer, leveraging claims like exp, scp, aud, and sub.
For our standard API's you'll only need a single scope
index. Just add your API Key ID to the
client_id field and Secret to the
Then press Try it. Boom, you're now the proud owner of an
Access Tokens by nature are short-lived. In your production environment, you'll likely need to "refresh" them and while you can always run it back with your
client_credentials grant. Using a
refresh_token grant adds an additional layer of security.
Refresh tokens limit the need for you to repeatedly send your secret key over the internet and their single use to prevent replay attacks! Each time you use a
refresh_token, update both your local
Note: Refresh Tokens do exactly what it sounds like, they refresh a grant. If you want to change scope(s), you'll need to use the