Once the device is registered, you can authenticate using OAuth. This means you request a session token, and use it for authentication in the subsequent calls.
The endpoint to request the OAuth token is POST /oauth/token
. You need to pass the vendor client credentials, and the device code (as code
). The grant type is still device
.
POST /oauth/token HTTP/1.1
Host: connect-testing.secuconnect.com
Content-Type: application/json
Accept: application/json
{
"grant_type"
:
"device"
,
"client_id"
:
"611c00ec6b2be6c77c2338774f50040b"
,
"client_secret"
:
"dc1f422dde755f0b1c4ac04e7efbd6c4c78870691fe783266d7d6c89439925eb"
,
"code"
:
"2429e1d92f2f76cc3bbdc0333457ef25"
}
If evreything is fine, the API responds with 200 OK
, and the token amongst other things:
HTTP/1.1 200 OK
Content-Type: application/json
...
{
"access_token"
:
"c0p22mjoea0vktmfe09r9h1b40"
,
"expires_in"
: 1200,
"token_type"
:
"bearer"
,
"scope"
:
null
,
"refresh_token"
:
"d3aece0996cee981609cab15653db0e9bc9ef804"
}
The OAuth access token is found in access_token
(line 6). It is valid for 1200 seconds (s. expires_in
at line 7). The access token is to be sent in all subequent calls.
Note: There is only one OAuth access token per device session. The former token is invalidated when you create a new one. You should consider the place to store it carefully.
Your system should also memorize the refresh_token
. It can be used to create a new token without sending the device code again, as long as the session is valid.