Get OAuth2 token
Issues OAuth2 tokens used to authenticate every API call. The security foundation of the platform.
Supports four flows depending on the integration type:
client_credentials— server-to-server access to the Zertiban API. TheclientId/clientSecretpair travels in theAuthorizationheader as HTTP Basic, not in the body. Returns a short-livedaccess_token(defaultexpires_inis 900 seconds / 15 minutes). Send it on every subsequent API call asAuthorization: Bearer {access_token}, alongsidex-tenant-id: {businessUuid}.authorization_code+ PKCE — browser-driven login for the Zertiban dashboard.refresh_token— exchange a refresh token for a new access token (typically for the dashboard session).urn:ietf:params:oauth:grant-type:token-exchange— tenant-to-tenant switch within the same user session. The dashboard sends the currentaccess_tokenassubject_tokenand the target tenant UUID asaudience. Returns a newaccess_tokenwith the roles and authorities of the target tenant. The original token is not revoked. Thescopeandresourceparameters are not accepted and will produce a400 invalid_request.
Always read expires_in from the response and refresh before expiry to avoid 401 errors.
Autorizaciones
OAuth2 client authentication for the token endpoint. The
clientId / clientSecret pair is sent as HTTP Basic Auth in
the Authorization header (e.g. curl -u clientId:clientSecret,
Python requests auth=(id, secret)), not in the request body.
Required by default for confidential clients.
Cuerpo de la petición
"authorization_code""uri"PKCE code verifier (original random string).
Body for the client_credentials grant — server-to-server
authentication for Zertiban API consumers. The clientId and
clientSecret travel as HTTP Basic Auth in the Authorization
header, not in this body.
Must be client_credentials.
"client_credentials"Optional space-delimited scopes. The scope parameter is
not required for standard Zertiban API access.
REQUIRED when scope includes web_app. UUID of the tenant the token is being issued for. The value is embedded as the tenant_id claim in the resulting access token.
"uuid""refresh_token"Optional reduced scope set.
Body for the token-exchange grant (RFC 8693) — tenant-to-tenant
switch within the same user session. The dashboard sends the
current access token as subject_token and the target tenant UUID
as audience. Returns a new access token carrying the roles and
authorities of the target tenant. The original token is not
revoked. The scope and resource parameters are not
accepted and will produce 400 invalid_request.
Must be urn:ietf:params:oauth:grant-type:token-exchange.
"urn:ietf:params:oauth:grant-type:token-exchange"Current access token (JWT) of the authenticated user.
Must be urn:ietf:params:oauth:token-type:access_token.
"urn:ietf:params:oauth:token-type:access_token"UUID of the target tenant the user wants to switch to.
"uuid"OAuth2 client ID of the dashboard (public client, no secret required).
Optional. Defaults to urn:ietf:params:oauth:token-type:access_token.
Respuestas
Token response