OAuth 2.0 Client Credentials Grant

The Client Credentials Grant is used when the client application needs to be authenticated. The client application presents its credentials (API key and secret) and acquires an authorization token.

Below is a sample authentication request. Note that the exact details of the grant depend on the API in question. Any exceptions or additional requirements will be explained in API documentation.

Sample authentication

1. Client requests authentication

The client application request authentication, presenting its application credentials. In the example call below, client_id is your APP API KEY and client_secret is your APP API SECRET. The differences in naming stem from the OAuth 2.0 standard.

POST /auth/v2/accesstoken?grant_type=client_credentials HTTP/1.1
Host: sandbox.apis.op-palvelut.fi
Content-Type: application/x-www-form-urlencoded
Cache-Control: no-cache
 
client_id=*********&client_secret=*******

2. Auth server responds with access token

The response will contain the access token and associated data in JSON format. The response may contain a refresh token which can be used to request additional access tokens.

Response body:

{
  "token_type" : "BearerToken",
  "access_token" : "Axqx362CnSmLABgzqcBasG0pxBj9",
  "scope" : "",
  "status" : "approved",
  "refresh_token" : "U71FUIsqADNqpaqhh4pNsqE2YYfPwbUV",
  "refresh_token_expires_in" : "1799",
  "refresh_token_issued_at" : "1521035756257",
  "expires_in" : "86399",
  "refresh_count" : "0"
}

3. Client calls business API

Finally, the client makes the actual API call. For example:

curl -v "https://sandbox.apis.op-palvelut.fi/loans/oneoffs/v1/creditterms" -H "Authorization: Bearer Axqx362CnSmLABgzqcBasG0pxBj9"