Authentication
Abowire uses OAuth2 and OpenID Connect (OIDC) to authenticate third applications. OAuth2 is a secure and standard way to grant third party applications access to Abowire resources.
To access any of our API's resources you'll need an Access Token
. You can request one using one of the authentication flows below. Access Tokens are scoped to the resources your credentials are authorized to access.
1. Generate your credentials​
To get started you will need to create a Client ID
and a Secret Key
. You can create these in Settings > API Keys
.
Note: You can't use your sandbox keys to access the production environment and viceversa. You will need a different set of credentials for each environment. You can easily recognize the environment by the prefix of the Client ID (eg. sbx_
for sandbox and prd_
for production).
2. The OAuth flow​
We highly recommend using a library to handle the OAuth2 authentication process. For a list of client libraries go here.
Endpoints​
Endpoint | URL |
---|---|
OAuth2 Authorization | https://auth.abowire.com/oauth2/auth |
OAuth2 Token | https://auth.abowire.com/oauth2/token |
OpenID | https://auth.abowire.com/userinfo |
Scopes​
Scope | Description | Is required |
---|---|---|
openid | Request an OpenID Connect ID Token | Required |
profile | Request access to the OpenID profile | Not required |
offline_access | A scope required when requesting refresh tokens | Not required |
Frontend applications​
For frontend flows use the OAuth Authorization Code flow, which only requires your Client ID. Never expose your Secret Key. Use the following flow instead and ask an Abowire user to grant access to the required resources.
The flow works as follows:
- Start the flow by creating an
Authorization URL
with your Client ID and a callback URL - Redirect the user to this Authorization URL. The user will have to login and grant your application access Abowire.
- After a successful grant, the user will be redirected to the callback URL you specified with an
Authentication Code
. - Exchange the Authentication Code for a
Request Token
- Exchange the Request token for an
Access Token
Backend applications​
Client Credentials Flow For a backend-to-backend communication use the Client Credentials Flow. This flow is simpler and requires your Client ID and Secret Key.
- Use your credentials to request a
Request Token
- Exchange the Request Token for an
Access Token