Sysapp Authentication

A sysapp uses OpenID Connect's Client Credential Flow to obtain an access token referred to as system token. Before starting, ensure the necessary app credentials and URLs are available as mentioned in the Getting Started guide.

Getting system token

In the Client Credential Flow, get an access token by calling the /token endpoint:

curl --location --request POST '${Authorization Url}/v1/token' \
--header 'accept: application/json' \
--header 'authorization: Basic <base64(${client-id}:${client-secret})>' \
--header 'cache-control: no-cache' \
--header 'content-type: application/x-www-form-urlencoded' \
--data-urlencode 'grant_type=client_credentials' \
--data-urlencode 'scope=s2s'

The authorization: header in the request above is determined per HTTP Basic Authentication where the client-id and client-secret are used as username and password, respectively. Authorization Url is a unique URL for each fabric merchant. It is, however, common across all sysapps defined for a single merchant.

fabric Identity returns the access token in the following response:

    "token_type": "Bearer",
    "expires_in": 600,
    "access_token": "eyJraWQiOiIt...",
    "scope": "s2s"

access_token is the system token generated by fabric Identity and is used by the sysapp for all subsequent fabric API calls. System token expiration is set to 10 minutes (600 seconds) by default. Once the token expires, the API client is expected to generate another access token using the same HTTP call shown above.

Using system token

Upon receiving a valid access token, the API client can call any fabric API by specifying the access_token as the Bearer token in the authorization header:

curl --location --request GET '${fabric Endpoint Url}/v1/product' \
--header 'accept: application/json' \
--header 'authorization: Bearer ${access_token}' \
--header 'cache-control: no-cache' \