# Authentication

The PSD2 API uses OpenID Connect with
the OAuth 2.0 standard for authenticating access tokens.
Your access token authorizes you to use the PSD2 API.

This is the endpoint used for production environments:


```
https://id.aritma.io/connect/token
```

Note:
For development use:
`https://id.dev.aritma.io/connect/token`

## Scopes

| Scope | Description |
|  --- | --- |
| `banking.channel.psd2` | Access to PSD2 API's |
| `banking.ais.read` | Access to Account Information API's |


## Grant Types

The OpenID Connect and OAuth 2.0 specifications define so-called grant types (often also called flows - or protocol flows),
which specify how a client can interact with the token service.

The PSD2 API supports `client credentials` grants which means you need a `ClientID` and `Client Secret` which can be
exchanged for an access token that grants access to the API.

## Example Request


```Bash cURL
curl -i -X POST https://id.dev.aritma.io/connect/token \
    -H "Content-Type: application/x-www-form-urlencoded" \
    -d grant_type=client_credentials \
    -d client_id=$CLIENT_ID \
    -d client_secret=$CLIENT_SECRET \
    -d scope=banking.channel.psd2%20banking.ais.read
```


```csharp C#
using var client = new HttpClient();

var form = new Dictionary<string, string>
{
    {"grant_type", "client_credentials"},
    {"client_id", "{CLIENT_ID}"},
    {"client_secret", "{CLIENT_SECRET}"},
    {"scope", "banking.channel.psd2 banking.ais.read"}
};
var content = new FormUrlEncodedContent(form);

var response = await client.PostAsync("https://id.dev.aritma.io/connect/token", content);
```


```java Java
OkHttpClient client = new OkHttpClient().newBuilder()
  .build();
MediaType mediaType = MediaType.parse("application/x-www-form-urlencoded");
RequestBody body = RequestBody.create(mediaType,
  "grant_type=client_credentials&client_id={CLIENT_ID}&client_secret={CLIENT_SECRET}&scope=banking.channel.psd2 banking.ais.read");

Request request = new Request.Builder()
  .url("https://id.dev.aritma.io/connect/token")
  .method("POST", body)
  .addHeader("Content-Type", "application/x-www-form-urlencoded")
  .build();

Response response = client.newCall(request).execute();
```


```javascript JavaScript
var myHeaders = new Headers();
myHeaders.append("Content-Type", "application/x-www-form-urlencoded");

var urlencoded = new URLSearchParams();
urlencoded.append("grant_type", "client_credentials");
urlencoded.append("client_id", "{CLIENT_ID}");
urlencoded.append("client_secret", "{CLIENT_SECRET}");
urlencoded.append("scope", "banking.channel.psd2 banking.ais.read");

var requestOptions = {
  method: 'POST',
  headers: myHeaders,
  body: urlencoded,
  redirect: 'follow'
};

fetch("https://id.dev.aritma.io/connect/token", requestOptions)
  .then(response => response.text())
  .then(result => console.log(result))
  .catch(error => console.log('error', error));
```


```python Python
import requests

url = "https://id.dev.aritma.io/connect/token"

payload='grant_type=client_credentials&client_id={CLIENT_ID}&client_secret={CLIENT_SECRET}&scope=banking.channel.psd2 banking.ais.read'
headers = {
  'Content-Type': 'application/x-www-form-urlencoded'
}

response = requests.request("POST", url, headers=headers, data=payload)
```

## Postman

In the Postman app, complete the following:

1. Set the verb to `POST`.
2. Enter `https://id.dev.aritma.io/connect/token` as the request URL.
3. Select the `Body` tab.
4. Select the `x-www-form-urlencoded` option.
5. In the KEY field, enter `grant_type`.
  - In the VALUE field, enter `client_credentials`.
6. In the KEY field, enter `client_id`.
  - In the VALUE field, enter your client id.
7. In the KEY field, enter `client_secret`.
  - In the VALUE field, enter your client secret.
8. In the KEY field, enter `scope`.
  - In the VALUE field, enter `banking.channel.psd2 banking.ais.read`.
9. Select `Send`.


Response:


```json
{
    "access_token": "\<token>",
    "expires_in": 3600,
    "token_type": "Bearer",
    "scope": "banking.channel.psd2 banking.ais.read"
}
```

## Access Token

The token response contains the JWT access token, the number of seconds the
token is valid, included scopes and the token type.

| Parameter | Value |
|  --- | --- |
| access_token | The JWT access token |
| expires_in | The number of seconds the token is valid |
| token_type | The type of the token. default: Bearer |
| scope | Space-delimited list of scope permissions |


When you make calls to a REST API, include the access token in the Authorization header with the designation as Bearer. Reuse the access token until it expires.


```http
Authorization: Bearer \<token>
```