Service to service integration to the Order Exchange API requires a partner integration client, which needs to be requested for each integration. Using the partner integration client credentials, access tokens need to be requested to get access to the Order Exchange API.
With the partner integration grant type tokens for a technical user can be obtained with only the client_id and client_secret. This grant must only be used by confidential clients that can safely keep a client_secret.
Parameters:Basic
authentication with client_id
and client_secret
as in RFC 6749 - Client Passwordgrant_type=partner_integration
integration_id
provided to the partner during product activationA response looks like the one described in RFC 6749.
The partner application must use the access token from the response to access the APIs in scope. A refresh token is not issued because the partner application can obtain a new access token whenever it needs it.
An access token is valid for a specified time, as described in RFC 6749 - Access Token Response, and should be used for all API requests during that time. So it is not necessary to request a new access token before every request to an API.
Details:"access_token": "eyJraWQiOiJjMD..."
: the value of the access token to be used"token_type": "bearer"
: the access token is of typer bearer token"expires_in": 3600
: the access token is valid for 3600
seconds"scope": "scope1 scope2"
: scopes are used to limit access to parts of an APIAuthorization
to be used when requesting to RIO APIs. It must NOT be included in requests to APIs that do not go to RIO APIs. The access token is a JWT as specified in RFC 7519 - JSON Web Token (JWT). A JWT has the form xxxxx.yyyy.zzzzz
Whereby:
xxxxx
: JOSE header (Base64Url encoded)yyyy
: JWS Payload (Base64Url encoded)zzzzz
: JWS signature (based on algorithm specified in header)Normally, clients should not need to decode the access token. However, if you ever need to decode the token for debugging purposes, please use a local program (e.g. https://github.com/mike-engel/jwt-cli).
We generally advise against using online/browser tools for this. If you nevertheless rely on such services (e.g. https://jwt.io), they should never copy the entire token, but only the header and payload: xxxxx.yyyy
. If you share the entire access token, including signature, with a third person/service, this person can impersonate your client for 1h on the RIO Platform. Any damage caused by this would fall back on you.