Authentication & Access Tokens
Introduction
Effective token management is critical for secure and efficient API interactions. Passport's API uses an OAuth2 authentication model, ensuring that you can securely authenticate and authorize API requests. This guide provides a structured overview of how to generate, manage, and revoke access tokens.
Bearer Authentication
Bearer authentication (also known as token authentication) is an HTTP authentication scheme that uses security tokens: specifically, bearer tokens. The idea is simple: if you have the token, you're granted access. That’s why it’s called “bearer” the one who bears the token gets access.
Bearer tokens are typically long, random strings generated by the server after a successful login or authorization request. Once you have a token, you must include it in the Authorization header when making requests to protected endpoints:
Authorization: Bearer <token>Authentication Flow
- Register as an Entity: You must register on the Passport platform.
- Obtain API Keys: After registration, you receive a Client ID (API Key) and Client Secret (API Secret).
- Generate an Access Token: Use these keys to request an access token, which grants system-wide API access.
API Endpoints for Token Management
Generate a Access Token
| Definition | Description |
|---|---|
| Endpoint | https://bre-b-sandbox.api.visionamos.passportfintech.com/v1/iam/oauth/tokens |
| Method | POST |
| Headers | Accept-Language, Content-Length, Content-Type: application/json |
| Authentication | Client Credentials (API Key and API Secret) |
Request Body Parameters
| Parameter | Type | Description |
|---|---|---|
| client_id | String | Your API Key (Client ID) issued during registration. |
| client_secret | String | Your API Secret (Client Secret) required for authentication. |
| grant_type | String | Must be set to client_credentials to generate a token. |
Example of Request
{ "client_id": "YOUR_API_KEY", "client_secret": "YOUR_API_SECRET", "grant_type": "client_credentials"}
Access Token Creation
Example of Response
The expected HTTP response body is 200 OK with the follow response body:
{ "expires_in": 86400, "access_token": "17d5cc1adb6f6c90d5aa73f74b38f9fa3336d04aee6cf8121a3cf19f190e6213", "token_id": "a10f0955-3afe-43be-a120-6d262610ae70", "token_type": "Bearer", "scopes": [ "iam.accounts.get", "iam.users.get", "iam.users.list.get", "iam.login_profiles.patch", "iam.oauth.tokens.list.get", "iam.oauth.tokens.get", "iam.oauth.tokens.delete", "iam.logout.post", "iam.mfa.*", "iam.roles.get", "iam.roles.list.get", "iam.roles.users.list.get", "iam.users.roles.list.get", "paas.core.entity_customers.post", "paas.core.entity_customers.patch", "paas.core.entity_customers.get", "paas.core.entity_customers.list.get", "paas.core.accounts.post", "paas.core.accounts.get", "paas.core.accounts.list.get", "paas.core.account_keys.post", "paas.core.account_keys.get", "paas.core.account_keys.list.get", "paas.core.breb_recipients.post", "paas.core.breb_recipients.get", "paas.core.breb_recipients.list.get", "paas.core.breb_payments.post", "paas.core.breb_payments.get", "paas.core.breb_payments.list.get", "paas.core.webhooks.post", "paas.core.webhooks.get", "paas.core.webhooks.list.get", "paas.core.webhooks.patch", "paas.core.webhooks.delete", "paas.core.qrcodes.post", "paas.core.qrcodes.get", "paas.core.qrcodes.list.get", "paas.core.account_keys.patch" ], "account_id": "b94301c0-0752-4676-9dac-3c909c1703a1", "created_at": "2025-05-28T13:58:06.475Z", "roles": [ "entity.client_credentials" ]}The Developer Access Token is valid for 24 hours (86,400 seconds).
Best Practices for Token Management
- Use short-lived tokens: Renew tokens periodically to enhance security.
- Store credentials securely: Never expose API keys or tokens in client-side code.
- Rotate API keys periodically: Regularly update keys to prevent unauthorized access.
Next Steps
Now that you understand how to generate and manage access tokens in Passport, you can proceed with:
- Integrating your credentials into Postman or your development environment.
- Using the generated token to authenticate calls to the platform's various endpoints.
- Exploring the available flows in our Postman collection and detailed endpoint documentation.