Authentication

API interactions require authentication.

Access to ACAEngine is secured via OAuth2. Before interacting, your app or integration will need to authenticate and obtain a valid access token. Once authenticated, this token must accompany all requests.

This can either be included as an Authorization header (recommended):

HTTPie
cURL
http aca.example.com/api/control/systems 'Authorization:bearer <access token>'
curl -H "Authorization: bearer <access token>" aca.example.com/api/control/systems

Or, as a query parameter:

HTTPie
cURL
http aca.example.com/api/control/systems bearer_token==<access token>
curl "aca.example.com/api/control/systems?bearer_token=<access token>"

Registering Your Application

All applications using the ACAEngine API need to be registered in Backoffice. Details on this can be found in the Backoffice user guide.

Once registered, take note of the client_id as well as the client_secret or redirect_uri, depending on the auth flow your application will use.

Obtaining An Access Token

Using OAuth2, a few approaches are available to obtain an access token. Here's some recommendations based on common API uses:

Auth flow

Recommended use case

Implicit

Web, mobile and desktop apps communicating directly with the ACAEngine API.

Authorization Code

Web, mobile and desktop apps where your back-end communicates with the ACAEngine API on behalf of a user.

Password Grant

Server-to-server integration and highly trusted environments.

Implicit

Authentication and direct API access from client side applications can be safely achieved via the OAuth implicit flow without your application needing to intercept any user details. This allows federated identity services to be used and your users security and privacy to be preserved.

All interaction within this flow takes place within a client-side user agent, making it a great choice for standalone apps.

To authenticate you will need to direct users to the authorisation endpoint, accompanied by your registered application details.

get

https://aca.example.com/auth/oauth/authorize
Request
Response
Path Parameters
client_id
required
string
Application client ID
redirect_uri
required
string
Your registered redirect URI.
response_type
required
string
"token"
state
optional
string
A unique token, generated by your application. This will be included in the response and is recommended to avoid CSRF attacks.
302: Found

Your users will then be prompted to authenticate via your configured identity provider and authorize your application. Once access is granted they will then be returned to your redirect URL with the access token included as a URI fragment.

https://<your registered redirect URI>#access_token=<token>

Your application may then parse this token and use it for API requests.

URI fragments can be accessed from JavaScript with document.location.hash.

If you included a state parameter (you should), this will also be returned and should be validated against your original request prior to commencing any interaction.

Authorization Code

When building application that contains server-side components you may find a need to provide users the ability to grant your infrastructure access to interact with the ACAEngine on their behalf. This is commonly encountered if you have staff or venue app and your ACAEngine deployment is not accessible from public networks, or you may be interacting with the API asynchronously or in response to events from other systems.

As with the implicit flow, at no point does your application require direct knowledge of user credentials.

Using this flow, users first authorize your application by creating a short-lived authorization code. This is then passed to your back-end components, where it can be redeemed for an access token.

To generate the authorisation code, direct your users to the authorisation endpoint with code as the requested response type.

get

https://aca.example.com/auth/oauth/authorize
Request
Response
Path Parameters
client_id
required
string
Application client ID
redirect_uri
required
string
Your registered redirect URI.
response_type
required
string
"code"
state
optional
string
A unique token, generated by your application. This will be included in the response and is recommended to avoid CSRF attacks.
302: Found

After authenticating and authorising your application, users will be redirected to your configured redirect URI with an authorisation code as part of the request parameters.

https://<your registered redirect URI>/?code=<authorisation code>

This response will also include the state parameter if it was included in your original request. This should be validated before continuing.

Your backend infrastructure may then extract this and exchange it for an access token that can be used to perform actions as the authorising user by using the token endpoint.

post

https://aca.example.com/auth/oauth/token
Request
Response
Body Parameters
grant_type
required
string
"authorization_code"
client_id
required
string
Application client ID.
client_secret
required
string
Application secret.
code
required
string
The authorization code from the previous step.
redirect_uri
required
string
The redirect URI used in the authorization code generation.
200: OK
{
"access_token": "1f0af717251950dbd4d73154fdf0a474a5c5119adad999683f5b450c460726aa",
"created_at": 1559193360,
"expires_in": 1209600,
"refresh_token": "ac56ce17189cd8c2afc6c0fc7feeb4710bcc7985847b6f428a9a54ad6450cee0",
"scope": "public",
"token_type": "bearer"
}

Password Grant

The Oauth2 password grant flow provides a good option for server-to-server integration, or when designing a system where direct knowledge of both user, and application secrets is acceptable.

This flow should not be used as part of any components distributed to users or un-trusted endpoints. This includes usage within client side code for web apps or mobile apps, including in compiled form.

This flow provides the ability to directly exchange a username and password for an access token as a single request.

post

https://aca.example.com/auth/oauth/token
Request
Response
Body Parameters
grant_type
required
string
"password"
username
required
string
The user to authenticate as.
password
required
string
The password to authenticate with.
authority
optional
string
The domain ID to authenticate against.
client_id
required
string
Application client ID.
client_secret
required
string
Application client secret.
scope
optional
string
200: OK
{
"access_token": "1f0af717251950dbd4d73154fdf0a474a5c5119adad999683f5b450c460726aa",
"created_at": 1559193360,
"expires_in": 1209600,
"refresh_token": "ac56ce17189cd8c2afc6c0fc7feeb4710bcc7985847b6f428a9a54ad6450cee0",
"scope": "public",
"token_type": "bearer"
}

Session Lifetime

When receiving a token, the server response will include a token expiry - expires_in - which is the number of seconds the token is valid for. By default, this is 14 days. When this period has elapsed your application will need to obtain a new access token. This can be done either by repeating the original authentication flow, or using a refresh token if provided.

Refresh Tokens

Along with the access_token, successful authentication requests may also contain a refresh_token. This can be used to renew the session at any time, extending access as long as both the application registration and user are still valid.

post

https://aca.example.com/auth/oauth/token
Request
Response
Body Parameters
grant_type
required
string
"refresh_token"
refresh_token
required
string
The refresh token to use.
client_id
required
string
Application client ID.
client_secret
required
string
Application client secret.
200: OK
{
"access_token": "1f0af717251950dbd4d73154fdf0a474a5c5119adad999683f5b450c460726aa",
"created_at": 1559193360,
"expires_in": 1209600,
"refresh_token": "ac56ce17189cd8c2afc6c0fc7feeb4710bcc7985847b6f428a9a54ad6450cee0",
"scope": "public",
"token_type": "bearer"
}

Token Revocation

To end a session, applications should request a token revocation. This will invalidate the token, preventing further use.

post

https://aca.example.com/auth/oauth/revoke
Request
Response
Path Parameters
token
required
string
The token to invalidate.
200: OK