Access tokens

For each API call you make you need to authenticate. The authentication is managed via access tokens. An access token is installation-specific and can be acquired via the authorization flow described in Authorization. An access token comes in pair with a refresh token, which is used to request a new access token after expiration of the access token. Keep both tokens secret and do not share them in publicly accessible areas. For each API request, the access token should be placed in the header of the request. After 24 hours access tokens are expired and need to be refreshed.

Refresh tokens

After 24 hours access tokens are expired. Request a new one using the refresh token that was obtained together with the outdated access token.

Code Example:

curl -d 'client_id=CLIENT_ID' \
-d 'client_secret=THE_SECRET' \
-d 'grant_type=refresh_token' \
-d 'refresh_token=dfea2eccfd4183e74ff111c79aecf48e' \
-X POST https://nedap-bi.com/oauth/token

If everything went ok, the authorization server returns a new access and refresh token pair.

Successful response:

{
"access_token":"26a7ffb4adccf81530582b6310cb1008cfb45c1f2d01346",
"token_type":"bearer",
"expires_in":7200,
"refresh_token":"dfea2ecca08bd37fdf171f1b5ff111c256f679aecf48e",
"scope":"account"
}

Every time the access token is refreshed, a new pair of access token and refresh token is generated. If an invalid / outdated refresh token is used, the following error will be shown:

Failed response:

{
"error":"invalid_request",
"error_description":"The request is missing a required parameter, includes an unsupported parameter value, or is otherwise malformed."
}