Tokens

  1. Token Request: Your application then makes a secure POST request to the Token Endpoint, providing the code along with your client_id, client_secret, redirect_uri, and (if used in step 1) the same userid. This step happens server-to-server (backend of your app to AIRisk API) and does not involve the user’s browser.

  2. Token Response: If the request is valid, the AIRisk authorization server responds with a JSON payload containing an access_token (and possibly other details like expiration). This token can then be used by your app to authenticate future API requests to AIRisk (usually by including it in an HTTP Authorization: Bearer header).

Note: The AIRisk OAuth2 flow supports two modes of obtaining tokens:

  • Generic tokens – obtained by omitting the userid parameter. These tokens are not tied to any specific end-user; they represent the application’s own access.

  • User-specific tokens – obtained by including a userid. These tokens represent an authorization on behalf of a particular user. The following sections detail how to use each endpoint and clarify the differences between these token types.

sequenceDiagram
    participant App as Application
    participant Browser as User's Browser
    participant Auth as AIRisk Auth Server

    %% Step 1: Authorization Request initiated by the Application
    App->>Browser: Redirect to<br>/authorize?client_id={client_id}&redirect_uri={redirect_uri}&[userid={userid}]
    note right of App: Ensure that client_id and client_secret are valid for an APIUser<br>and that redirect_uri matches one of the allowed URIs

    %% Step 2: Authorization Code Request via User’s Browser
    Browser->>Auth: GET /authorize?<br>client_id={client_id}, redirect_uri={redirect_uri}, [userid={userid}]
    alt Authorized Request
        Auth-->>Browser: HTTP 302 Redirect<br>Location: {redirect_uri}?code={auth_code}
    else Authorization Error
        Auth-->>Browser: HTTP Error Response<br>(status_code, reason)
    end

    %% Step 3: Token Request from Application Backend
    Browser->>App: Browser lands on {redirect_uri} with auth_code
    App->>Auth: POST /token<br>{ code: {auth_code}, client_id, client_secret, redirect_uri, [userid] }
    alt Valid Token Request
        Auth-->>App: JSON { access_token, expires_in, ... }
    else Token Request Error
        Auth-->>App: HTTP Error Response<br>(status_code, reason, json body)
    end
PreviousError ResponsesNextError Handling

Last updated