Skip to main content

Authentication API

To authenticate the calls made by your application to the Qualifio APIs, an access token is required.

You can obtain said access token by using your client id and client secret (these credentials are provided to you by Qualifio) and making a request to our authorization server.

API Definition

Entrypoint

  • Production: https://auth.k8s.qualifio.com

Get token

Get a new token based on a clientId and clientSecret.

Request

POST /auth/realms/Qualifio/protocol/openid-connect/token

Request body has to be "HTTP form-style" with url encoded values.

Request header

  • "Content-Type: application/x-www-form-urlencoded"
  • "Authorization: Basic BASIC_CREDENTIALS"
    • BASIC_CREDENTIALS must be replaced by the base64 encoding of the concatenation of the clientId and clientSecret separated by a ":"
    • If clientId = "clientId" and clientSecret = "clientSecret", then BASIC_CREDENTIALS = base64("clientId:clientSecret") = Y2xpZW50SWQ6Y2xpZW50U2VjcmV0

Request body

  • grant_type=client_credentials

Samples

Here are some code examples to help you understand this process:

const axios = require('axios'); // https://www.npmjs.com/package/axios

const form = new URLSearchParams();
form.append('grant_type', 'client_credentials');
form.append('client_id', 'your-client-id');
form.append('client_secret', 'your-client-secret'

const response = await axios.post(
`https://auth.k8s.qualifio.com/auth/realms/Qualifio/protocol/openid-connect/token`,
form,
{
headers: {
'Content-Type': 'application/x-www-form-urlencoded',
},
},
);

const token = response.data;

console.log('Access token:', token.access_token);
console.log('Token will expire in', token.expires_in, 'seconds');

Normal token validity is 1 hour (3600 seconds). This timing can be reduced/increased depending on specific needs.

Response

{
"access_token": "eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJ5WW8xSkVIUW92S2FZS2JxOE12dC1pMExfU0QyYXZQRDJ6RHRwMjhHbC1rIn0.eyJleHAiOjE2MjczMDcwNDUsImlhdCI6MTYyNzMwMzQ0NSwianRpIjoiMmZkYmQ3ODMtN2EyMi00ZjdlLWJkNmYtMWQ0ODUxMDg3YzljIiwiaXNzIjoiaHR0cHM6Ly9hdXRoLnN0YWdpbmcuazhzLnF1YWxpZmlvLmNvbS9hdXRoL3JlYWxtcy9RdWFsaWZpbyIsInN1YiI6IjJlMmVkMmI4LWIyZmUtNDc1Mi1iYWYwLWViNjg3MThkZTg0MSIsInR5cCI6IkJlYXJlciIsImF6cCI6ImRlbW8tZXh0ZXJuYWwtYXBpIiwiYWNyIjoiMSIsInJlYWxtX2FjY2VzcyI6eyJyb2xlcyI6WyJjcnlwdG8tYXBpLWNyZWF0ZSIsImNyeXB0by1hcGktcmVhZCJdfSwic2NvcGUiOiIiLCJjbGllbnRJZCI6ImRlbW8tZXh0ZXJuYWwtYXBpIiwiY2xpZW50SG9zdCI6IjE0Ni41OS4yMDIuMTQ4IiwiY2xpZW50QWRkcmVzcyI6IjE0Ni41OS4yMDIuMTQ4IiwicWxmOkFjY291bnRJRCI6Mn0.Z-TYRCiIhjjMSfHx_Woq_VRPm3u9EHktkhIS45jjUHPQ5268MdLQ9Qv1MgyeA6UQK-iIVneeoBsklmoOCvD-yPBe7AGELlkvRad_49kgURo1NzZbR30RqFc7r4GJgfGtV5hFbp3ZFfyCY6jWA49rlnDEQ4WalCjP4pddnKVYGXzCiWFmwPspi9CcVmYCj1KEau3eCjRNH8B1k4d1aI5sl_lRP8wzDRmzgBPU0mVOtywo3t38CD1zY7F8w6NYsfpEUkTtm22CDKlBYPlABT1C6VnCdUTwPleIAJ0sHmxofk_XZZHZM3NJrhpZxfykCqRv9mg4K9J3mwy_KWrXhWUqbA",
"expires_in": 3600,
"refresh_expires_in": 0,
"token_type": "Bearer",
"not-before-policy": 1625826844,
"scope": ""
}

This token can then be used immediately until the expiration time (field expires_in expressed in seconds).

The normal content of the token is:

{
"kid": "yYo1JEHQovKaYKbq8Mvt-i0L_SD2avPD2zDtp28Gl-k",
"alg": "RS256",
"typ": "JWT"
}
Payload
{
"exp": 1627307045,
"iat": 1627303445,
"jti": "2fdbd783-7a22-4f7e-bd6f-1d4851087c9c",
"iss": "https://auth.k8s.qualifio.com/auth/realms/Qualifio",
"sub": "2e2ed2b8-b2fe-4752-baf0-eb68718de841",
"typ": "Bearer",
"azp": "demo-external-api",
"acr": "1",
"realm_access": {
"roles": [
"crypto-api-create",
"crypto-api-read"
]
},
"scope": "",
"clientId": "demo-external-api",
"clientHost": "146.59.202.148",
"clientAddress": "146.59.202.148",
"qlf:AccountID": 2
}

Requests are authenticated by adding the Authorization HTTP header containing a Bearer token:

Authorization: Bearer your_access_token

Client credentials grant flow

Additional resources: