Skip to main content

Authentication (OAuth)

Access to the INFast API is authenticated using OAuth2. To be more specific, we implement OAuth2 with Client Credentials as the Grant Type. Then, we use a Bearer Token to authenticate requests.

tip

In most languages and frameworks, there are libraries and tools that handle all this for you (our OAuth implementation is standard). If you're interested, we talk about it here.

Calling authenticated endpoint

To make an OAuth-authenticated request (necessary for all INFast API endpoints), it involves two steps:

  • Retrieve an access_token.
  • Inject this access_token into your requests.

Retrieve your access token

To retrieve your access token manually, you have to make a POST request to the /oauth2/token endpoint (see the reference) with the following parameters:

  • Body: grant_type:client_credentials and scope:write.
  • Authorization: Basic base64([your_client_id]:[your_client_secret])
Curl request: POST /oauth2/token
curl -L -X POST 'https://api.infast.fr/api/v2/oauth2/token' \
-H 'Content-Type: application/x-www-form-urlencoded' \
-H 'Accept: application/json' \
-H 'Authorization: Basic W3lvdXJfY2xpZW50X2lkXTpbeW91cl9jbGllbnRfc2VjcmV0XQ==' \
--data-urlencode 'grant_type=client_credentials' \
--data-urlencode 'scope=write'
info

Note that W3lvdXJfY2xpZW50X2lkXTpbeW91cl9jbGllbnRfc2VjcmV0XQ== is the base64 version of [your_client_id]:[your_client_secret].

Response
{
  "access_token": "9db3a8296b68b7889f2803fc1143610922997adc",
  "token_type": "Bearer",
  "expires_in": 604799,
  "scope": "write"
}
tip

See the guide to retrieve your access token with node.js, Postman or directly with INFast.

Authenticate your request

To authenticate a request, you need to indicate in the Authorization header (see MDN documentation), with Bearer as the auth scheme and your access token as the parameter:

Authorization: Bearer [your_access_token].

Curl request: GET /customers
curl -L -X GET 'https://api.infast.fr/api/v2/customers' \
-H 'Accept: application/json' \
-H 'Authorization: Bearer 9db3a8296b68b7889f2803fc1143610922997adc'
warning

The access_token is designed to be reused. Requesting a new access_token for each request is a very bad idea. You could quickly run into rate Limiting issues.

Scopes

The INFast API offers 2 scopes (More information on how scopes work):

  • read: only allows read access,
  • write: allows both read and write access.

Error

If your access_token does not cover the scope of the request you are making, you will receive an HTTP 403 error with the message: Request is not authorized: Insufficient scope: authorized scope is insufficient.

Concretely, this means that you are trying to perform a write operation while you have only set read in the scope when requesting your access_token.

Access token expiration

The access_token is only valid for a certain period. Its validity period is returned to you when retrieving the access_token.

The expiration date of your access_token is also reminded in all responses from the INFast API via the header AccessToken-ExpireAt.

Example
AccessToken-ExpireAt: 2023-12-15T09:46:03.756Z