Generate a Public OAuth Token
An access token is required for applications to access Cortex. To use the API or build an application that doesn’t require the end user to create an account or authenticate, the client application should request a public access token. This access token enables access to resources that don’t require a registered account.
Requesting an access token
Below is an example of the authentication workflow for requesting a PUBLIC
access token from the client application’s perspective.
Construct a
POST
request to the OAuth2 Resource and set the content-type toapplication/x-www-form-urlencoded
POST http://www.myapi.net/oauth2/tokens Content-Type: application/x-www-form-urlencoded
Include the following parameters in the request body:
grant_type=password&scope=mobee&role=PUBLIC
Usernames and Passwords are not used in this scenario. To generate a token to access resources that require a registered account, see Authenticate a customer.
Cortex authenticates the request and returns either a success or failure HTTP response.
Successful authentication returns the following HTTP response:
{ "access_token": "a9256d79-9273-4820-b45d-587f90d1dc9b", "token_type":"bearer", "expires_in": 359, "scope" : "MOBEE", "role": "PUBLIC" }
Unsuccessful authentication returns a
401 Unauthorized
status code and an error message.
Using an access token
Once the token is granted, all subsequent requests to Cortex must include the access token in an Authorization request header. If the access token is invalid, does not exist in the Authorization request header, or the user does not have the authority to access a resource, Cortex returns a 401 Unauthorized
status code
Add the access token to your request headers as shown in the example below:
Content-Type: application/json
Authorization: Bearer a9256d79-9273-4820-b45d-587f90d1dc9b
Token Type
You must use Bearer in the Authorization header. This is an OAuth 2.0 standard.
Revoking an access token
Revoke an access token by calling DELETE
on the OAuth2 Resource. Include the access token to revoke in the Authorization request header.
DELETE http://www.myapi.net/oauth2/tokens
Authorization: Bearer a9256d79-9273-4820-b45d-587f90d1dc9b
Access token validity and expiration
Access tokens are immediately valid once they are returned to the client application. Tokens are valid for 1 week, after which they expire and are no longer valid for access.