Use your API Key to request an authorization token —required for most API requests.
Our API endpoints (and your license records) are protected assets. Let's use a standard OAuth2 client credentials grant with your new API Key to request a short-lived access token and a longer-lived refresh token.
For the curious folk, we use JWTs to decentralize validation to the microservice layer, leveraging claims like exp, scp, aud, and sub.
For our standard API's you'll only need a single scope index. Just add your API Key ID to the client_id field and Secret to the client_secret field.
Then press Try it. Boom, you're now the proud owner of an access_token.
Access Tokens by nature are short-lived. In your production environment, you'll likely need to "refresh" them and while you can always run it back with your client_credentials grant. Using a refresh_token grant adds an additional layer of security.
Refresh tokens limit the need for you to repeatedly send your secret key over the internet and their single use to prevent replay attacks! Each time you use a refresh_token, update both your local access_token and refresh_token records.
Note: Refresh Tokens do exactly what it sounds like, they refresh a grant. If you want to change scope(s), you'll need to use the client_credentials grant