Authentication
Using Email and Password
You can generate an access token for our API using your email and password, with the following endpoint.
The endpoint will return an access token that can be used to authenticate with our API, using the Authorization: Bearer <token>
header.
Email & password is the easiest way to authenticate with the API programmatically. However, for testing the access token can also be obtained by logging in with the web interface and using the value from the accessToken
cookie.
Server Token
The server token is required to access data that does not require a PowerAPI user context. You can obtain it using:
curl -F grant_type=client_credentials
-F client_id=valid_client_id -F client_secret=valid_client_secret -F scope=public
-X POST https://api.powerapi.com/oauth/token
Keep in mind that access tokens will expire after four weeks.
Authentication Flow
A user access token is required when a PowerAPI user context is necessary.
- Flow should be initiated by directing the resource owner's user-agent to the authorization endpoint:
https://api.powerapi.com/oauth/authorize?client_id=valid&redirect_uri=http://localhost:8080/oauth-callback&response_type=code&scope=trusted+refresh_token+public
- After access grant, the user-agent will be redirected back to redirection URI provided in the request. The redirection URI includes an authorization code.
- The access token can be requested from the server's token endpoint by including the authorization code received in the previous step:
curl -F grant_type=authorization_code
-F client_id=valid_client_id -F client_secret=valid_client_secret -F redirect_uri=http://localhost:8080/oauth-callback
-F code=valid_code -X POST https://api.powerapi.com/oauth/token
A users' access token returned by the server's token endpoint will be valid for 6 hours.
When the user's access_token
has expired, you can obtain a new access_token
by exchanging the refresh_token associated with the access_token
using the Token Exchange endpoint. Refreshing the user access token means that you don't need to ask the user to authorize your app for the same permissions again.