# Authentication

The Open Banking API uses [OpenID Connect](https://openid.net/connect/faq/) with the [OAuth 2.0](https://oauth.net/2/) standard for authenticating access tokens. Your access token authorizes you to use the Open Banking REST API.

This is the endpoint used for production environments:


```
https://id.aritma.io/connect/token
```

Note:
For development use:
`https://id.dev.aritma.io/connect/token`

## Scopes

| Scope | Description |
|  --- | --- |
| `bankservice` | Access to the Open Banking API |


## Grant Types

The OpenID Connect and OAuth 2.0 specifications define so-called [grant types](https://auth0.com/docs/get-started/applications/application-grant-types) (often also called flows - or protocol flows). Grant types specify how a client can interact with the token service.

The Open Banking API supports the following grant types:

| Scope | Description |
|  --- | --- |
| `client_credentials` | [Client Credentials Grant](https://auth0.com/docs/get-started/authentication-and-authorization-flow/client-credentials-flow) |
| `authorization_code` | [Authorization Code](/apis/platform/ids/flows/authorization-code) |
| `password` | [Resource Owner Password Grant](https://auth0.com/docs/get-started/authentication-and-authorization-flow/resource-owner-password-flow) |
| `implicit` | [Implicit Grant](https://auth0.com/docs/get-started/authentication-and-authorization-flow/implicit-flow-with-form-post) |


## Client Credentials Example Request


```Bash cURL
curl -i -X POST "https://id.aritma.io/connect/token" \
    -H "Content-Type: application/x-www-form-urlencoded" \
    -d "grant_type=client_credentials&client_id=$CLIENT_ID&client_secret=$CLIENT_SECRET"
```


```csharp C#
using var client = new HttpClient();

var form = new Dictionary<string, string>
{
    {"grant_type", "client_credentials"},
    {"client_id", "{CLIENT_ID}"},
    {"client_secret", "{CLIENT_SECRET}"},
};
var content = new FormUrlEncodedContent(form);

var response = await client.PostAsync("https://id.dev.aritma.io/connect/token", content);
```


```java Java
OkHttpClient client = new OkHttpClient().newBuilder()
  .build();
MediaType mediaType = MediaType.parse("application/x-www-form-urlencoded");
RequestBody body = RequestBody.create(mediaType, 
  "grant_type=client_credentials&client_id={CLIENT_ID}&client_secret={CLIENT_SECRET}");

Request request = new Request.Builder()
  .url("https://id.dev.aritma.io/connect/token")
  .method("POST", body)
  .addHeader("Content-Type", "application/x-www-form-urlencoded")
  .build();

Response response = client.newCall(request).execute();
```


```javascript JavaScript
var myHeaders = new Headers();
myHeaders.append("Content-Type", "application/x-www-form-urlencoded");

var urlencoded = new URLSearchParams();
urlencoded.append("grant_type", "client_credentials");
urlencoded.append("client_id", "{CLIENT_ID}");
urlencoded.append("client_secret", "{CLIENT_SECRET}");

var requestOptions = {
  method: 'POST',
  headers: myHeaders,
  body: urlencoded,
  redirect: 'follow'
};

fetch("https://id.dev.aritma.io/connect/token", requestOptions)
  .then(response => response.text())
  .then(result => console.log(result))
  .catch(error => console.log('error', error));
```


```python Python
import requests

url = "https://id.aritma.io/connect/token"

payload='grant_type=client_credentials&client_id={CLIENT_ID}&client_secret={CLIENT_SECRET}'
headers = {
  'Content-Type': 'application/x-www-form-urlencoded'
}

response = requests.request("POST", url, headers=headers, data=payload)
```

## Postman

In the Postman app, complete the following:

1. Set the verb to `POST`.
2. Enter `https://id.dev.aritma.io/connect/token` as the request URL.
3. Select the `Body` tab.
4. Select the `x-www-form-urlencoded` option.
5. In the KEY field, enter `grant_type`.
  - In the VALUE field, enter `client_credentials`.
6. In the KEY field, enter `client_id`.
  - In the VALUE field, enter your client id.
7. In the KEY field, enter `client_secret`.
  - In the VALUE field, enter your client secret.
8. Select `Send`.


## Access Token

The token response contains the [JWT access token](https://www.rfc-editor.org/rfc/rfc7519), the number of seconds the token is valid, included scopes and the token type.

| Parameter | Value |
|  --- | --- |
| access_token | The [JWT access token](https://www.rfc-editor.org/rfc/rfc7519) |
| expires_in | The number of seconds the token is valid |
| token_type | The type of the token. Default: [Bearer](https://www.rfc-editor.org/rfc/rfc6750) |
| scope | Space-delimited list of scope permissions |


When you make calls to a REST API, include the access token in the Authorization header with the designation as Bearer. Reuse the access token until it expires.


```http
Authorization: Bearer \<token>
```

### Example Response


```json
{
    "access_token": "eyJhbGciOiJSUzI1NiIsImtpZCI6IjRDMzE4NkE5MjUwMjI4MUQ5Njg2NjNCNEQ2MEFDMjI5QUM3MkI3ODJSUzI1NiIsInR5cCI6ImF0K2p3dCIsIng1dCI6IlRER0dxU1VDS0IyV2htTzAxZ3JDS2F4eXQ0SSJ9.eyJuYmYiOjE2NjM1ODg0ODEsImV4cCI6MTY2MzU5MjA4MSwiaXNzIjoiaHR0cHM6Ly9pZC1kZXYuemRhdGEubm8iLCJhdWQiOlsic2VydmljZXMuc2V0dGxlbWVudCIsInphbSIsImh0dHBzOi8vaWQtZGV2LnpkYXRhLm5vL3Jlc291cmNlcyJdLCJjbGllbnRfaWQiOiJTZXR0bGVtZW50RXhhbXBsZUNsaWVudCIsImlhdCI6MTY2MzU4ODQ4MSwic2NvcGUiOlsic2VydmljZXMuc2V0dGxlbWVudCIsInphbSJdfQ.ZPZ0oZ7krdjmnidwlTJegmU2qkFP2QbvLphVfOdCf5lnT6utyLhveTI32RQTrAgmlX4zmpO-Mp5f7Ck3_5L0y1xrmJuvxFDQz3TW8sIdviZzPvFZ86Tt-Yk1dHjgsPaEKygmJGhfktxHGUqslaN_sFZJjyQPkIx5q5HGKnDNBUMo0Vx6TFo1V_HRa56QdGrApuCFjPu7goX6z2Qk0i0y1vVbkpWFqS_z-9m-8TgjF90aTkqWE866TGTZUEHxL10cnJFMQ6KTZk4Ez1tFkWCb9QW3RO8fvSKRDwDjBf0acToKbbyYvxf6XX4FZMRycFiSEsT-0rPPIKXDdB27br7j7g",
    "expires_in": 3600,
    "token_type": "Bearer",
    "scope": "bankservice"
}
```