Password Flow

⚠️ It is not recommended to use the password flow due to the inherent risks of collecting and storing user password on a client application.

Password grant type is an OAuth 2.0 protocol flow for authenticating users, and is designed for legacy applications. We recommend Authorization Code flow for retrieving user tokens if possible, this ensures that no access tokens are sent to the browser.

If you are writing a native or single-page applications that can not store a client_secret securely we recommend Authorization Code with PKCE.

Token request

Requesting tokens with password flow is done by sending a users credentials to the POST /connect/token endpoint. The request body requires a client_id, a grant_type equal to password, and the users credentials.

POST /connect/token

RequestResponse

Copy

Copied

POST https://id.aritma.io/{tenant}/connect/token HTTP/1.1
Content-Type: application/x-www-form-urlencoded

  client_id=YOUR_CLIENT_ID&
  client_secret=YOUR_CLIENT_SECRET&

  grant_type=password&
  username=USERNAME&
  password=PASSWORD

Copy

Copied

HTTP/1.1 200 OK
Content-Type: application/json
{
  "access_token":"eyJz93a...k4laUWw",
  "refresh_token":"GEbRxBN...edjnXbL",
  "id_token":"eyJ0XAi...4faeEoQ",
  "token_type":"Bearer",
  "expires_in":86400
}

Parameter	Description
grant_type (required)	Denotes the flow you are using. For Authorization Code, use `password`.
client_id (required)	Your application's Client ID.
client_secret (required)	Your application's Client Secret.
username (required)	The username of the user.
password	The password for the user.