Authentication
The API uses OAuth 2.0 Resource Owner Password Credentials Grant to authenticate
users. This grant type is suitable for clients that have direct access to the
user's credentials. The client sends the user's credentials to the server and
receives an access token and a refresh token in return.
Access and Refresh tokens are sensitive data and must be stored securely.
Creating a token
When the grant_type is set to password, the endpoint will authenticate the
user using the provided username and password. If the user is authenticated
successfully, the endpoint will generate an access token and a refresh token.
The access token is used to authenticate requests to other endpoints, while the
refresh token is used to obtain a new access token when the current one expires.
The refresh token is a long-lived token that can be used to obtain a new access
token when the current one expires. Refresh tokens cannot be used as access
tokens.
Multi-Factor Authentication
If the user account is protected by multi-factor authentication (MFA), the
endpoint will respond with a 401 Unauthorized status and include a challenge
field in the response body. This field contains a unique identifier. To complete
the token creation, the client must complete the challenge by sending a request
to the /token/challenge endpoint.
Refreshing a token
When the grant_type is set to refresh_token, the endpoint will refresh the
access token using the provided refresh token.