Authentication
API interactions require authentication.
Last updated
API interactions require authentication.
Last updated
Access to ACAEngine is secured via OAuth2. Before interacting, your app or integration will need to authenticate and obtain a valid access token. Once authenticated, this token must accompany all requests.
This can either be included as an Authorization header (recommended):
Or, as a query parameter:
All applications using the ACAEngine API need to be registered in Backoffice. Details on this can be found in the Backoffice user guide.
Once registered, take note of the client_id as well as the client_secret or redirect_uri, depending on the auth flow your application will use.
Using OAuth2, a few approaches are available to obtain an access token. Here's some recommendations based on common API uses:
Auth flow
Recommended use case
Implicit
Web, mobile and desktop apps communicating directly with the ACAEngine API.
Authorization Code
Web, mobile and desktop apps where your back-end communicates with the ACAEngine API on behalf of a user.
Password Grant
Server-to-server integration and highly trusted environments.
Authentication and direct API access from client side applications can be safely achieved via the OAuth implicit flow without your application needing to intercept any user details. This allows federated identity services to be used and your users security and privacy to be preserved.
All interaction within this flow takes place within a client-side user agent, making it a great choice for standalone apps.
To authenticate you will need to direct users to the authorisation endpoint, accompanied by your registered application details.
GET https://example.com/auth/oauth/authorize
client_id
string
Application client ID
redirect_uri
string
Your registered redirect URI.
response_type
string
"token"
state
string
A unique token, generated by your application. This will be included in the response and is recommended to avoid CSRF attacks.
Your users will then be prompted to authenticate via your configured identity provider and authorize your application. Once access is granted they will then be returned to your redirect URL with the access token included as a URI fragment.
Your application may then parse this token and use it for API requests.
URI fragments can be accessed from JavaScript with document.location.hash.
If you included a state parameter (you should), this will also be returned and should be validated against your original request prior to commencing any interaction.
When building application that contains server-side components you may find a need to provide users the ability to grant your infrastructure access to interact with the ACAEngine on their behalf. This is commonly encountered if you have staff or venue app and your ACAEngine deployment is not accessible from public networks, or you may be interacting with the API asynchronously or in response to events from other systems.
As with the implicit flow, at no point does your application require direct knowledge of user credentials.
Using this flow, users first authorize your application by creating a short-lived authorization code. This is then passed to your back-end components, where it can be redeemed for an access token.
To generate the authorisation code, direct your users to the authorisation endpoint with code as the requested response type.
GET https://example.com/auth/oauth/authorize
client_id
string
Application client ID
redirect_uri
string
Your registered redirect URI.
response_type
string
"code"
state
string
A unique token, generated by your application. This will be included in the response and is recommended to avoid CSRF attacks.
After authenticating and authorising your application, users will be redirected to your configured redirect URI with an authorisation code as part of the request parameters.
This response will also include the state parameter if it was included in your original request. This should be validated before continuing.
Your backend infrastructure may then extract this and exchange it for an access token that can be used to perform actions as the authorising user by using the token endpoint.
POST https://example.com/auth/oauth/token
grant_type
string
"authorization_code"
client_id
string
Application client ID.
client_secret
string
Application secret.
code
string
The authorization code from the previous step.
redirect_uri
string
The redirect URI used in the authorization code generation.
The Oauth2 password grant flow provides a good option for server-to-server integration, or when designing a system where direct knowledge of both user, and application secrets is acceptable.
This flow should not be used as part of any components distributed to users or un-trusted endpoints. This includes usage within client side code for web apps or mobile apps, including in compiled form.
This flow provides the ability to directly exchange a username and password for an access token as a single request.
POST https://example.com/auth/oauth/token
grant_type
string
"password"
username
string
The user to authenticate as.
password
string
The password to authenticate with.
authority
string
The domain ID to authenticate against.
client_id
string
Application client ID.
client_secret
string
Application client secret.
scope
string
When receiving a token, the server response will include a token expiry - expires_in - which is the number of seconds the token is valid for. By default, this is 14 days. When this period has elapsed your application will need to obtain a new access token. This can be done either by repeating the original authentication flow, or using a refresh token if provided.
Along with the access_token, successful authentication requests may also contain a refresh_token. This can be used to renew the session at any time, extending access as long as both the application registration and user are still valid.
POST https://example.com/auth/oauth/token
grant_type
string
"refresh_token"
refresh_token
string
The refresh token to use.
client_id
string
Application client ID.
client_secret
string
Application client secret.
To end a session, applications should request a token revocation. This will invalidate the token, preventing further use.
POST https://example.com/auth/oauth/revoke
token
string
The token to invalidate.