Once the device is registered, you can authenticate using OAuth. This means you request a session token, and use it for authentication in the subsequent calls.
The endpoint to request the OAuth token is POST /oauth/token
. You need to pass the vendor client credentials, and the device code (as code
). The grant type is still device
.
POST /oauth/token HTTP/1.1
Host: connect-testing.secuconnect.com
Content-Type: application/json
Accept: application/json
{
"grant_type"
:
"device"
,
"client_id"
:
"611c00ec6b2be6c77c2338774f50040b"
,
"client_secret"
:
"dc1f422dde755f0b1c4ac04e7efbd6c4c78870691fe783266d7d6c89439925eb"
,
"code"
:
"2429e1d92f2f76cc3bbdc0333457ef25"
}
If evreything is fine, the API responds with 200 OK
, and the token amongst other things:
HTTP/1.1 200 OK
Content-Type: application/json
...
{
"access_token"
:
"c0p22mjoea0vktmfe09r9h1b40"
,
"expires_in"
: 1200,
"token_type"
:
"bearer"
,
"scope"
:
null
,
"refresh_token"
:
"d3aece0996cee981609cab15653db0e9bc9ef804"
}
The OAuth access token is found in access_token
(line 6). It is valid for 1200 seconds (s. expires_in
at line 7). The access token is to be sent in all subequent calls.
Note: There is only one OAuth access token per device session. The former token is invalidated when you create a new one. You should consider the place to store it carefully.
Your system should also memorize the refresh_token
. It can be used to create a new token without sending the device code again, as long as the session is valid.
See Manage the Device Connection to understand the whole process including device registration and session renewal.