All of Survalyzers Public APIs require authentication. The authentication needs to be provided with the Authorization Header and the Bearer scheme. To acquire a Bearer Token there are several ways based on OAuth.
OAuth Endpoints
Depending on the data center your account is hosted the Endpoints are different. Your Url shows you two important information:
- The tenant
- The data center
The data center in the Url is either swiss or eu. The related endpoint are documented on the following pages.
Swiss: https://authentication.survalyzer-swiss.app/swagger/index.html
EU: https://authentication.survalyzer-eu.app/swagger/index.html
The client_id and the client_secret can be found in the account setting on the tab Automation.
Authorization code (Human Interactive flow)
Authorize endpoint
GET /openid/authorize?response_type=code&client_id={tenant}_api&redirect_uri={your return url}&scope=openid&state={some unique transaction string}&scope=openid
Token endpoint
POST /openid/token
Content-Type: application/x-www-form-urlencoded
Body: grant_type=authorization_code&code={code from authorize call}&client_id={tenant}_api&redirect_uri={your return url}
Returns:
{ "access_token":"{token}", "refresh_token": "{refresh token}", "token_type":"bearer", "id_token": "{id token}", "expires_in":1800 }
Client credentials (Machine to Machine, Account rights)
Token endpoint
POST /openid/token
Content-Type: application/x-www-form-urlencoded
Body: grant_type=client_credentials&client_id={tenant}_api&client_secret={your application secret}
Returns:
{ "access_token":"{token}", "token_type":"bearer", "expires_in":1800 }
Password credentials (Machine to Machine, User rights)
Token endpoint
POST /openid/token
Content-Type: application/x-www-form-urlencoded
Body: grant_type=password&client_id={tenant}_api&username={username}&password={password}&scope=openid
Optional: &panel_id={panel id}
Returns:
{ "access_token":"{token}", "refresh_token": "{refresh token}", "token_type":"bearer", "id_token": "{id token}", "expires_in":1800 }
Refresh Tokens
The access tokens are valid for 30 minutes. After this time a new token needs to be acquired by using the refresh token which is valid for 24 hours.
POST /openid/token
Content-Type: application/x-www-form-urlencoded
Body: grant_type=refresh_token&refresh_token={refresh token}&client_id={tenant}_api&client_secret={your application secret}&redirect_uri={your return url}&scope=openid
Returns:
{ "access_token":"{token}", "refresh_token": "{refresh token}", "token_type":"bearer", "id_token": "{id token}", "expires_in":1800 }
Logout
The username needs to be transmitted as id_token_hint. It could be taken from the subject claim of the identity token.
GET /openid/logout?id_token_hint={username}&post_logout_redirect_uri={your return url}&state={some unique transaction string}
[Deprecated] Access token (for v1 and v2 endpoints )
To get an access token the following request needs to be called:
POST /publicapi/Authentication/v1/GetApiToken
Content-Type: application/json, UTF8
Body:
{ "tenant": "{tenant}", "username": "{username}", "password": "{password}" }
Returns:
{ "accessToken": {token}, "isSuccess":true, "errorMessage":"" }
In all subsequent calls add the following header:
Authorization: Bearer {token}
The token expires after 12 hours. There is no refresh token, therefore the GetApiToken service needs to be called again.
The v1 and v2 endpoints are deprecated, but will be supported until 31.12.2024.