Authenticated API Usage

📘

We use a Bearer Token to authenticate API calls. This token can be acquired via the OAuth Client Credentials flow.

  1. Using your specific clientId and your clientSecret (provided by us during onboarding) you are able to obtain a Bearer Token. With this token you authenticate against our API during all calls. This token is valid for all organizations you have been authorized for on the specific environment (sandbox or production).
  2. This Bearer Token has a time to live (TTL) of 10-24 hours and it gives you access to our endpoints. It needs to be sent with every request towards the API. Please use the TTL in the response when fetching a token and only create a new token shortly before the TTL is exeeded.
  3. You need to refresh the token before the token expires. Until then, the token has to be reused! Do not request a new token on every call to our API.
curl --location --request POST 'https://infinnityprodinternal.eu.auth0.com/oauth/token' \
--header 'Content-Type: application/json' \
--data-raw '{
    "client_id": "YOUR CLIENT ID",
    "client_secret": "YOUR CLIENT SECRET",
    "audience": "api.getpliant.com/api/integration",
    "grant_type": "client_credentials"
}'
curl --location --request POST 'https://infinnitystaginginternal.eu.auth0.com/oauth/token' \
--header 'Content-Type: application/json' \
--data-raw '{
    "client_id": "YOUR CLIENT ID",
    "client_secret": "YOUR CLIENT SECRET",
    "audience": "api.staging.v2.infinnitytest.com/api/integration",
    "grant_type": "client_credentials"
}'
{
    "access_token": "ey...0A",
    "expires_in": 86400,
    "token_type": "Bearer"
}

The token is not invalidated before the timeout (TTL).

More on the topic can be found here:

📘

HTTPS is Mandatory

All API communication must be made over HTTPS, plain HTTP is not allowed.

📘

Only Backend to Backend Communication allowed

Make sure the authorization flow is obtained from a secure backend all the time. For security reasons (to not expose the client secret) web frontends or mobile applications are not allowed to directly communicate with our API!