All of Survalyzers Public APIs require authentication. The authentication needs to be provided with the Authorization Header and the Bearer scheme. To acquire a Bearer Token there are several ways based on OAuth.
OAuth Endpoints
Depending on the data center your account is hosted the Endpoints are different. Your Url shows you two important information:
- The tenant
- The data center
The data center in the Url is either swiss or eu. The related endpoint are documented on the following pages.
Swiss: https://authentication.survalyzer-swiss.app/swagger/index.html
EU: https://authentication.survalyzer-eu.app/swagger/index.html
The client_id for the public api is {tenant}_api.
The client_secret will be handed over by Survalyzer but will soon be integrated in the Account Settings.
Authorization code (Human Interactive flow)
Authorize endpoint
GET /openid/authorize?response_type=code&client_id={tenant}_api&redirect_uri={your return url}&scope=openid&state={some unique transaction string}&scope=openid
Token endpoint
POST /openid/token
Content-Type: application/x-www-form-urlencoded
Body: grant_type=authorization_code&code={code from authorize call}&client_id={tenant}_api&client_secret={your application secret}&redirect_uri={your return url}
Returns:
{
"access_token":"{token}",
"refresh_token": "{refresh token}",
"token_type":"bearer",
"id_token": "{id token}",
"expires_in":1800
}Client credentials (Machine to Machine, API User)
Token endpoint
POST /openid/token
Content-Type: application/x-www-form-urlencoded
Body: grant_type=client_credentials&client_id={tenant}_api&client_secret={your application secret}
Returns:
{
"access_token":"{token}",
"refresh_token": "{refresh token}",
"token_type":"bearer",
"expires_in":1800
}Password credentials (Machine to Machine, Dedicated User)
Token endpoint
POST /openid/token
Content-Type: application/x-www-form-urlencoded
Body: grant_type=password&client_id={tenant}_api&client_secret={your application secret}&username={username}&password={password}&scope=openid
Optional: &panel_id={panel id}
Returns:
{
"access_token":"{token}",
"refresh_token": "{refresh token}",
"token_type":"bearer",
"expires_in":1800
}Refresh Tokens
The access tokens are valid for 30 minutes. After this time a new token needs to be acquired by using the refresh token which is valid for 24 hours.
POST /openid/token
Content-Type: application/x-www-form-urlencoded
Body: grant_type=refresh_token&refresh_token={refresh token}&client_id={tenant}_api&client_secret={your application secret}&redirect_uri={your return url}&scope=openid
Returns:
{
"access_token":"{token}",
"refresh_token": "{refresh token}",
"token_type":"bearer",
"expires_in":1800
}[Deprecated] Access token (for v1 and v2 endpoints )
To get an access token the following request needs to be called:
POST /publicapi/Authentication/v1/GetApiToken
Content-Type: application/json, UTF8
Body:
{
"tenant": "{tenant}",
"username": "{username}",
"password": "{password}"
}Returns:
{
"accessToken": {token},
"isSuccess":true,
"errorMessage":""
}In all subsequent calls add the following header:
Authorization: Bearer {token}
The token expires after 12 hours. There is no refresh token, therefore the GetApiToken service needs to be called again.
The v1 and v2 endpoints are deprecated, but will be supported until 31.12.2024.