Authentication With System App

sysapp uses OpenID Connect's Client Credential Flow to obtain an access token referred to as system token. Before getting started, ensure the necessary app credentials and urls are available as mentioned here.

Getting system token

In the Client Credential Flow getting an access token is a single step process by invoking the /token endpoint as below

curl --location --request POST '${Authorization Url}/v1/token' \
--header 'accept: application/json' \
--header 'authorization: Basic <base64(${client-id}:${client-secret})>' \
--header 'cache-control: no-cache' \
--header 'content-type: application/x-www-form-urlencoded' \
--data-urlencode 'grant_type=client_credentials' \
--data-urlencode 'scope=s2s'

Note the authorization header in the above request is determined as per HTTP Basic Authentication where the client-id and client-secret are used as username and password respectively. The Authorization Url would be a separate url for each tenant in fabric. It would, however, be common across all the sysapp(s) defined within a single tenant.

fabric Identity would return the access token in response as below

{
    "token_type": "Bearer",
    "expires_in": 600,
    "access_token": "eyJraWQiOiIt...",
    "scope": "s2s"
}

The field access_token is the system token generated by fabric Identity and should be used by sysapp for all subsequent calls to fabric APIs. Please note the default expiry of system token is set to 10 minutes (600 seconds). Once the token expires, the the API client is expected to generate another access token using the same HTTP call as shown above.

Using system token

Upon receiving a valid access token, the API client can call any fabric API by using the access_token in the Authorization header as shown below

curl --location --request GET '${Fabric Endpoint Url}/v1/product' \
--header 'accept: application/json' \
--header 'authorization: Bearer ${access_token}' \
--header 'cache-control: no-cache' \

Note the usage of the access token as the Bearer Token in the call to the fabric API.