Skip to main content

App

An app enables the consumer to request an access token through the app key and secret. With the access token it is possible to request protected API endpoints. There is a default consumer implementation located at developer/ which enables a user to manage their apps. The consumer can use any OAuth2 client to request an access token. Fusio supports by default the client_credentials grant type. Please take a look at the OAuth2 RFC for more information about the flow.

Configuration

app_create

Status

The status of the app.

User

The user which is assigned to the app. If the app key/secret is used to obtain an access token the app can act on behalf this selected user.

Name

The name of the app.

Url

The url of the app.

Scopes

The scopes which are assigned to this app.

Client credentials

Request

POST /authorization/token
Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW
Content-Type: application/x-www-form-urlencoded

grant_type=client_credentials

For a Basic authorization header you need to provide the [app key] + ":" + [app secret] as a base64 encoded string. It is also possible to provide your username and password but in general it is recommended to use the app key and secret since the app access can always be revoked later on.

Response

{
"access_token": "",
"token_type": "bearer",
"expires_in": 3600,
"refresh_token": ""
}

Refresh token

Most token responses always include a refresh token. You can use this refresh token to extend an access token before it expires.

Request

POST /authorization/token
Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW
Content-Type: application/x-www-form-urlencoded

grant_type=refresh_token&refresh_token=[refresh_token]

Like at the client credentials call the Basic header must contain the base64 encode app key and secret.

Response

{
"access_token": "",
"token_type": "bearer",
"expires_in": 3600,
"refresh_token": ""
}

As response you will get the refreshed access token.