Bearer token authentication is used to ensure only relevant Enable customers can access and read information from the Enable API. In order to retrieve data back from any Enable API endpoint, a valid JSON Web Token (JWT) must be passed on every request.
A JWT can be generated by passing access credentials to an endpoint at.
The token endpoint requires the API consumer to post the following as application/x-www-form-urlencoded form data:
The dealtrack_registration_id and client_id are Universal Unique Identifiers which will be provided to you when Enable provides you access to the API. They are used to uniquely identify you and your Enable client instance.
The client_secret is the password you provide to the API to verify your identity, this will be provided to you securely when Enable provision the API for you. Since the client_secret is a password it must be stored securely and only shared with trusted parties.
The JWT can be used to give selective access to different parts of the Enable API. This is achieved with token scope. When requesting a new token from the API you must include the scope that you require access to. If your credentials permit access to those areas of the system, then a token will be returned that can grant access to the endpoints that return data from that part of the system. However, if the requested scope encompasses an area of the system that you do not have permission to access, then an error of invalid_scope will be returned.
There are currently three supported values that can be contained within the scope field. They provide read access to deals, activity logs and users respectively.
If you want to request data from the Deals endpoint, for example, then read:deals must be included in the scope field. If you do not include this, then you will not be able to access the Deals endpoint.
The value of the scopefield is expressed as a list of space-delimited, case-sensitive strings. You can increase the scope of the token by appending items, such as read:deals, to this list.
The grant_type is the flow that the API uses when authorizing a token request. It dictates the process used when you attempt to gain access to the API.
Currently, the API only supports the Client Credentials flow and therefore, the grant_type field should always be set to client_credentials.
Example
An example has been provided below for how to request an authentication token. The following form data is included within the example.
If a token is requested using valid credentials you will receive a response in the following structure:
The token_string is the string you will need to pass to the Enable API as the bearer token value for any subsequent requests. The expires_in value is the time left in seconds until the token expires. After this time the token will stop working and it will be necessary to request a new one.
If the API is unable to process the authentication request, then it will return the following response:
Where error will be one of the following:
Once requested, the token can be stored locally and used until expiry. For every request, the Enable API endpoints require the API consumer to set the Authorization mode to “Bearer” and set the value to the access_token. This can be done by adding a Header named “Authorization” with a value of Bearer {token_string}.
.svg)