Client authentication

Overview

Client authentication using client ID and client secret is a common method used to verify the identity of a client application that is requesting access to a protected resource, such as an API.

In this method, the client application sends a request to the server along with a client ID and a client secret. The client ID is a public identifier that identifies the client application, while the client secret is a private key that is known only to the client and the server.

Roles

There are two roles inside the client authentication flow:

Client

The application that requests access to protected resources from a resource server. It may be a third-party application, but it also can be an application being a part of the organization that owns the resources. In this case, this is an application that tries to authenticate.

Authorization server

The server that authenticates the client trying to get access to the protected resources and issues access tokens.

Client authentication request

The client authentication request is a POST request to the authorization server's token endpoint. The request must include the following parameters:

• grant_type - Set this to "client_credentials"
• client_id - Your application's Client ID
• client_secret - Your application's Client Secret
• scope - The scope of the token. Includes DEFAULT, authenticated, CARRIER_ID

Note on CARRIER_ID

The CARRIER_ID is a unique identifier for your carrier account. It is provided to you by Peddler.

cURL

curl --location --request POST '${PEDDLER_API_DOMAIN}/oauth/token' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'grant_type=client_credentials' \
--data-urlencode 'client_id=<insert_client_id_here>' \
--data-urlencode 'client_secret=<insert_client_secret_here>' \
--data-urlencode 'scope=DEFAULT authenticated CARRIER_ID' \
--timeout 180000

JavaScript

const url = `${PEDDLER_API_DOMAIN}/oauth/token`;
const headers = { 'Content-Type': 'application/x-www-form-urlencoded' };
const body = new URLSearchParams({
  grant_type: 'client_credentials',
  client_id,
  client_secret,
  scope: ['DEFAULT', 'authenticated', 'CARRIER_ID'].join(' ')
}).toString();

const tokenResponse = await fetch(url, {
  method: 'POST',
  headers,
  body,
  timeout: 1000 * 60 * 3
}).then((response) => {
  if (!response.ok) {
    throw new Error('Network response was not ok');
  }
  return response.json();
}).catch((error) => {
  console.error('There was a problem with the fetch operation:', error);
});

Python

import requests
import urllib.parse

url = f"{PEDDLER_API_DOMAIN}/oauth/token"
headers = { "Content-Type": "application/x-www-form-urlencoded" }
data = {
  "grant_type": "client_credentials",
  "client_id": client_id,
  "client_secret": client_secret,
  "scope": " ".join(["DEFAULT", "authenticated", "CARRIER_ID"])
}

encoded_data = urllib.parse.urlencode(data)

response = requests.post(url, headers=headers, data=encoded_data, timeout=180000)
try:
    response.raise_for_status()
    tokenResponse = response.json()
except requests.exceptions.HTTPError as error:
    print(f"HTTP Error: {error}")

Domain

PEDDLER_API_DOMAIN can be following:

• https://alphadev-api.peddler.com - for development
• https://api-lokl.peddler.com - for production

Receiving the bearer token (in the body, in json)

HTTP/1.1 200 OK
Content-Type: application/json
Cache-Control: no-store
Pragma: no-cache

{
  "access_token":"FkzdyJV14zc73AaK9FmNCtyp5bUTegis",
  "expires_in":7200,
  "scope":"DEFAULT authenticated",
  "token_type":"Bearer"
}

OR

HTTP/1.1 403 FORBIDDEN
Content-Type: application/json
Cache-Control: no-store
Pragma: no-cache

{
  "error":"access_denied",
  "error_description":"Invalid subject: test" 
}