Skip to main content

Authentication

Using Email and Password

You can generate an access token for our API using your email and password, with the following endpoint.

Create an access token

The endpoint will return an access token that can be used to authenticate with our API, using the Authorization: Bearer <token> header.

tip

Email & password is the easiest way to authenticate with the API programmatically. However, for testing the access token can also be obtained by logging in with the web interface and using the value from the accessToken cookie.

Server Token

The server token is required to access data that does not require a PowerAPI user context. You can obtain it using:

curl -F grant_type=client_credentials
  -F client_id=valid_client_id -F client_secret=valid_client_secret -F scope=public
  -X POST https://api.powerapi.com/oauth/token
Token Expiration

Keep in mind that access tokens will expire after four weeks.

Authentication Flow

A user access token is required when a PowerAPI user context is necessary.

  • Flow should be initiated by directing the resource owner's user-agent to the authorization endpoint:
    https://api.powerapi.com/oauth/authorize?client_id=valid&redirect_uri=http://localhost:8080/oauth-callback&response_type=code&scope=trusted+refresh_token+public
  • After access grant, the user-agent will be redirected back to redirection URI provided in the request. The redirection URI includes an authorization code.
  • The access token can be requested from the server's token endpoint by including the authorization code received in the previous step:
    curl -F grant_type=authorization_code
      -F client_id=valid_client_id -F client_secret=valid_client_secret -F redirect_uri=http://localhost:8080/oauth-callback
      -F code=valid_code -X POST https://api.powerapi.com/oauth/token

A users' access token returned by the server's token endpoint will be valid for 6 hours.

When the user's access_token has expired, you can obtain a new access_token by exchanging the refresh_token associated with the access_token using the Token Exchange endpoint. Refreshing the user access token means that you don't need to ask the user to authorize your app for the same permissions again.