Tokens & Authentication
LogiSense APIs use JSON Web Tokens (JWT) for authentication. This article will explain how to obtain, use, and refresh a JWT. For more information about JWT read this.
Typical Workflow
- Client requests token from Authorization Server
- Client includes token in API requests to Resource Server
Requesting a Token
- Token requests are made to the Authorization Server
https://my_server_location/AuthorizationServer/api/v10/Access/Login - Use the POST verb
- Include request headers for Accept and Content-Type
NOTE: use the proper version v9, v10 etc. in your request path for the version of the API being used.
| Token Request Header | Definition |
|---|---|
| Accept | application/json |
| Content-Type | application/x-www-form-urlencoded |
Option 1) Using Username/Password Authentication
| Form Encoded Param | Value |
|---|---|
| username | myusername |
| password | mypa$$word |
| grant_type | password |
| client_id | 044b8ad996845c29446b2f18e5b5909 (NOTE: example only and is provided by LogiSense support) |
Option 2) Using Client ID/Client Secret Authentication
| Form Encoded Param | Value |
|---|---|
| client_secret | xIiwiaXNJbnRlcmFjdGl2ZSI6IkZhbHNlIiwidW5p (NOTE: Generated in the User Interface) |
| grant_type | password |
| client_id | 044b8ad6006845c29996b2f18e5b5909 (NOTE: example only and is provided by LogiSense support) |
For more information on setting up API access for users please see the LogiSense user settings documentation.
{
"access_token": "eyJ0eXAiOiJKV1QiLCJhbGciOiJodHRwOi8vd3d3LnczLm9yZy8yMDAxLzA0L3htbGRzaWctbW...",
"refresh_token": "eyJhbGciOiJIUzUxMiIsInR5cCI6IkpXVCJ9.eyJyZWZyZXNoVG9rZW5HdWlkIjoiODI3ZjlhNzYyN...",
"token_type": "bearer",
"expires_in": 1800,
"audience": "044b8ad6006845c29446b2f18e5b5909",
".issued": "2022-11-01T19:49:41Z",
".expires": "2022-11-01T20:19:41Z",
"actingOwnerId": 1
}Using the Token
Let’s use our newly acquired token to get all the accounts. We note the following differences between a token request and an API request:
- API requests are made to the API/Resource Server
Example: my_server_location/ResourceServer/api/v10/Account - Use the appropriate verb
- We still include request headers for Accept and Content-Type
- We need to include the token in the Authorization request header
| API Request Header | Definition |
|---|---|
| Accept | application/json |
| Content-Type | application/x-www-form-urlencoded |
| Authorization | Bearer yourBase64token |
Token Management
As noted when we received the access token, tokens do expire. Let’s compare and contrast requesting and refreshing a token:
- Do not send username or password in the refresh request
- Include the refresh token received when the original token was issued
- Token refresh requests are also made to the Authentication Server
- They also use the POST verb
- They also include request headers for Accept and Content-Type
- The body still includes the client_id
- A new value of refresh_token for grant_type
- We need to include owner and user
| Refresh Request Parameter | Definition |
|---|---|
| refresh_token | A JWE or JWS in ‘Compact Serialization Format’ from the original authorization request |
| grant_type | refresh_token |
| client_id | “044b8ad9686845c29446b2f18e5b5909” - Will be the same as the initial token request |
Updated about 4 hours ago
What’s Next