Authentication
Accessing the VAKA Online API requires an access token. In addition to an access token, most API endpoint does also require authorization using an API-key that allows requests on behalf of a system owner.
Obtaining an Access Token
An access token is obtained using the OAuth Client Credentials flow, by making a POST request to the token endpoint:
https://login.microsoftonline.com/9968fc31-c55a-484e-975f-36ed01948291/oauth2/v2.0/token
An access token request must be of content type application/x-www-form-urlencoded and requires a request body with the following parameters:
grant_type
Must be: client_credentials
client_id
The client id of you integrator account
client_secret
The client secret of your integrator account
scope
Must be:
api://46298672-5d4a-4a7e-8402-c1f0cc3366e3/.default
Using the Access Token
All API endpoints requires the access token to be included in the Authorization header, for example:
Authorization: Bearer <access-token>
Getting an API-key
An API-key gives authorization to make API-requests on behalf of a system owner, restricting the accessible scope to a specific integration. This means that an API-key must be generated for each integration to act on.
Generating an API-key is done by making a GET request to the endpoint:
https://api.vakaonline.se/v1/apikey/generate/
<approvalId>
The request requires an approval id to be included. The approval id is received from the system owner, which works as a permission grant by the system owner to act on the system owners behalf.
Using the API-key
All API endpoints requiring an API-key expects the API-key to be specified in a x-api-key header, as following:
x-api-key: <api-key>
Usage Recommendations
Never use any API credentials (client id, client secret), approval-id, access tokens or api-keys directly in client-side applications or websites. Do not share any credentials with anyone you don't trust.
Last updated