Skip Navigation Links

API Authentication

All Flip API endpoints are authorized using the OAuth 2.0 Resource Owner Client Credentials Grant. The client application sends the client and client secret to the authorization server and in return receives an access token. The access token can be used to authenticate requests to the API.

General Setup

In order to authenticate with the Flip API, three things are required:

  • Domain - The base of the URL of the target Flip system (e.g. test.flip-app.com)
  • Organization - The System ID of the target Flip system. This information will be provided to you. (e.g. mycompany)
  • API Client ID - The ID of the API client (e.g. my-api-client).
  • API Client Secret - The secret of the api client. This information is available to the person who set up the API client.

Retrieving a token

In order to retrieve a token, a POST request must be sent to the Token URL: https://$DOMAIN/auth/realms/$ORGANIZATION/protocol/openid-connect/token. The request must contain these parameters as form data:

  • grant_type - The value must be client_credentials
  • client_id - The value must be the API client ID
  • client_secret - The value must be the API client secret

The returned access token can be used to authenticate requests to the Flip API. The token has an expiry, which is returned in the response. The token should be reused until it expires.

Example:

The response will contain the access token and the expiry time in seconds. Example response:


Calling an API
In order to call an API, the access token must be included in the Authorization header of the request. The value of the header must be Bearer $ACCESS_TOKEN.
Example: