Configure API access
The Token Server offers several APIs to integrate Token Server processes with existing systems. Access to the APIs can be managed via API clients. Per API client a client id (username) and client secret (password) can be configured. In the communication with the APIs one of the following authentication methods should be used:
- HTTP Basic Authentication
- url encoded form with client credentials (for HTTP POST requests) See OAuth Client Password for the full specification.
The API clients can be configured in the admin console: Configuration > System > API clients.
Per API client can be specified which API(s) can be accessed. This gives the opportunity to provide external systems using the Token Server APIs only access to a certain function. Currently the access can be granted to the following APIs:
- Admin API
- Config API
- End user
- Events API
- Insights: communication between Onegini Insights and the Token Server to retrieve statistics data.
- Mobile authentication
- Payload encryption policy: communication between the Onegini Security Proxy and the Token Server to exchange payload encryption settings.
- Token introspection
- User registration:
On top of basic authentication via API clients we advise to create an IP white list for the
/oauth/api endpoint, so only selected machines in the
corporate network have access to these APIs.