1. Home
  2. Authentication

Authentication

All of Survalyzers Public APIs require authentication. The authentication needs to be provided with the Authorization Header and the Bearer scheme. To acquire a Bearer Token there are several ways based on OAuth.

OAuth Endpoints

Depending on the data center your account is hosted the Endpoints are different. Your Url shows you two important information:

  1. The tenant
  2. The data center

The data center in the Url is either swiss or eu. The related endpoint are documented on the following pages.

Swiss: https://authentication.survalyzer-swiss.app/swagger/index.html
EU: https://authentication.survalyzer-eu.app/swagger/index.html

The client_id and the client_secret can be found in the account setting on the tab Automation.

Authorization code (Human Interactive flow)

Authorize endpoint

GET /openid/authorize?response_type=code&client_id={tenant}_api&redirect_uri={your return url}&scope=openid&state={some unique transaction string}&scope=openid

Token endpoint

POST /openid/token
Content-Type: application/x-www-form-urlencoded
Body: grant_type=authorization_code&code={code from authorize call}&client_id={tenant}_api&redirect_uri={your return url}

Returns:

{
  "access_token":"{token}",
  "refresh_token": "{refresh token}",
  "token_type":"bearer",
  "id_token": "{id token}",
  "expires_in":1800
}

Client credentials (Machine to Machine, Account rights)

Token endpoint

POST /openid/token
Content-Type: application/x-www-form-urlencoded
Body: grant_type=client_credentials&client_id={tenant}_api&client_secret={your application secret}

Returns:

{
  "access_token":"{token}",
  "token_type":"bearer",
  "expires_in":1800
}

Password credentials (Machine to Machine, User rights)

Token endpoint

POST /openid/token
Content-Type: application/x-www-form-urlencoded
Body: grant_type=password&client_id={tenant}_api&username={username}&password={password}&scope=openid
Optional: &panel_id={panel id}

Returns:

{
  "access_token":"{token}",
  "refresh_token": "{refresh token}",
  "token_type":"bearer",
  "id_token": "{id token}",
  "expires_in":1800
}

Refresh Tokens

The access tokens are valid for 30 minutes. After this time a new token needs to be acquired by using the refresh token which is valid for 24 hours.

POST /openid/token
Content-Type: application/x-www-form-urlencoded
Body: grant_type=refresh_token&refresh_token={refresh token}&client_id={tenant}_api&client_secret={your application secret}&redirect_uri={your return url}&scope=openid

Returns:

{
  "access_token":"{token}",
  "refresh_token": "{refresh token}",
  "token_type":"bearer",
  "id_token": "{id token}",
  "expires_in":1800
}

Logout

The username needs to be transmitted as id_token_hint. It could be taken from the subject claim of the identity token.

GET /openid/logout?id_token_hint={idtoken}&post_logout_redirect_uri={your return url}&state={some unique transaction string}

[Deprecated] Access token (for v1 and v2 endpoints )

To get an access token the following request needs to be called:

POST /publicapi/Authentication/v1/GetApiToken
Content-Type: application/json, UTF8
Body:

{
  "tenant": "{tenant}",
  "username": "{username}",
  "password": "{password}"
}

Returns:

{
  "accessToken": {token},
  "isSuccess":true,
  "errorMessage":""
}

In all subsequent calls add the following header:
Authorization: Bearer {token}

The token expires after 12 hours. There is no refresh token, therefore the GetApiToken service needs to be called again.

The v1 and v2 endpoints are deprecated, but will be supported until 31.12.2024.

Updated on March 6, 2024

Was this article helpful?

Need Support?
Can't find the answer you're looking for?
Contact Support