Skip to content

Authentication and Authorization

Auth Required

Retrieve an access token using your client credentials. This token is required for authenticating all subsequent API requests to AAJ Express services.

Token Lifetime

36,000 seconds (10 hours)

Grant Type

Client Credentials

Scope

read · write · groups

Endpoint overview

POST Public

URL: {{iam_url}}/api/v2/o/token/

  • No authentication required (uses client credentials in body)
  • Returns a bearer token for subsequent API calls
  • Token must be refreshed before expiration

Request headers

Header Value Description
Content-Type application/json Specifies the media type

Request body

Parameter Type Required Description
grant_type string Yes Set to "client_credentials"
client_id string Yes Your unique client identifier
client_secret string Yes Your client secret key (keep confidential)
redirect_uri string Yes The URI to redirect to after authentication

Sample request

{
  "grant_type": "client_credentials",
  "client_id": "your_client_id",
  "client_secret": "your_client_secret",
  "redirect_uri": "https://your_redirect_uri"
}

Response

{
  "access_token": "CBa3xAxB7xrYS1stedHKT4pzQ0raer",
  "expires_in": 36000,
  "token_type": "Bearer",
  "scope": "read write groups"
}

Response fields

Field Type Description
access_token string The token to use for authenticating API requests
expires_in number Duration in seconds for which the token is valid
token_type string Token type (always "Bearer")
scope string Permissions granted to the token

Using the token

Include the access token in the Authorization header of all subsequent API requests:

Authorization: Bearer CBa3xAxB7xrYS1stedHKT4pzQ0raer

Error responses

Invalid Credentials

{
  "error": "invalid_client"
}

Status Code: 401 Unauthorized

Missing Parameters

{
  "detail": "Invalid credentials given."
}

Status Code: 400 Bad Request

Security Warning: Never expose your client_secret in client-side code, public repositories, or logs. Treat it like a password.