Below is an example of the authentication workflow for requesting a PUBLIC access token from the client application's perspective.

1. Construct a POST request to the OAuth2 Resource and set the content-type to application/x-www-form-urlencoded

   POST http://www.myapi.net/oauth2/tokens
   Content-Type: application/x-www-form-urlencoded

2. Include the following parameters in the request body

   grant_type=password&scope=mobee&role=PUBLIC

   Note: Username and Password not Used

   Usernames and Passwords are not used in this scenario. To generate a token to access resources that require a registered account, see Authenticate a customer.

3. The Cortex API authenticates the request and returns either a success or failure HTTP response. Successful authentication returns the following HTTP response:

   {
      "access_token": "a9256d79-9273-4820-b45d-587f90d1dc9b",
      "token_type":"bearer",
      "expires_in": 359,
      "scope" : "MOBEE",
      "role": "PUBLIC"
   }

   Unsuccessful authentication returns a 401 status code and an error message.

Once a token is granted, all subsequent requests to Cortex API must include the access token in an Authorization request header. If the access token is invalid, does not exist in the Authorization request header, or the user does not have the authority to access a resource, Cortex API returns a 401 status code

Add the access token to your request headers as shown in the example below:

Content-Type: application/json
Authorization: Bearer a9256d79-9273-4820-b45d-587f90d1dc9b

Revoke an access token by calling DELETE on the OAuth2 Resource. Include the access token to revoke in the Authroization request header.

DELETE http://www.myapi.net/oauth2/tokens
Authorization: Bearer a9256d79-9273-4820-b45d-587f90d1dc9b

Access tokens are immediately valid once they are returned to the client application. Tokens are valid for 1 week, after which they expire and are no longer valid for access.