Authentication APIs
The Authentication APIs allow you to generate temporary access tokens for use with other OneAssure APIs.
Generate Token
Create a temporary access token using your API credentials.
Endpoint
POST /v1/auth/token
Request
Body
{
"client_id": "YOUR_CLIENT_ID",
"client_secret": "YOUR_CLIENT_SECRET",
"scopes": ["business"]
}
Fields
| Field | Type | Description |
|---|---|---|
| client_id | string | Your API access key provided by OneAssure |
| client_secret | string | Your API secret access key provided by OneAssure |
| scopes | array | OAuth scopes to be granted to the token |
Response
Success Response
{
"payload": {
"access_token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c",
"expires_in": 3600,
"token_type": "Bearer"
}
}
Error Response
Invalid Credentials (401 Unauthorized)
{
"type": "A4001",
"title": "Invalid Authentication Credentials",
"detail": "The provided access key or secret access key is invalid",
"instance": "/v1/auth/token"
}
Rate Limit Exceeded (429 Too Many Requests)
{
"type": "A4290",
"title": "Rate Limit Exceeded",
"detail": "Too many token requests. Please try again in 60 seconds",
"instance": "/v1/auth/token"
}
Unexpected Error (500 Internal Server Error)
{
"type": "E5000",
"title": "An unexpected error occurred",
"detail": "",
"instance": "/v1/auth/token"
}
Response Fields
Success Response
| Field | Type | Description |
|---|---|---|
| access_token | string | JWT token to be used for API authentication |
| expires_in | number | Number of seconds the token will expire in |
| token_type | string | Type of token (always "Bearer") |
Error Response
| Field | Type | Description |
|---|---|---|
| type | string | Error code (e.g., "A4001") |
| title | string | Brief error description |
| detail | string | Detailed error message |
| instance | string | API endpoint where error occurred |
Using the Token
Include the token in the Authorization header of all API requests:
Authorization: Bearer YOUR_TOKEN
Token Lifecycle
- Tokens are valid for 1 Hour from the time of creation
- You can generate a new token at any time
- For security reasons, tokens cannot be refreshed and must be regenerated
- Each partner is limited to 100 token generations per hour
Security Best Practices
-
Store credentials securely
- Never hardcode credentials in your application
- Use environment variables or a secure vault
-
Rotate credentials regularly
- Change your secret access key periodically
- Contact OneAssure support to rotate your credentials
-
Limit token exposure
- Do not share tokens between different applications
- Do not store tokens in client-side code or expose them to end users