POST Authorize/Token refresh
Refreshes a bearer token from the VEDauth server. After this call completes, place the access_token in the header of your REST call. Your client can reuse the same token until it expires. As necessary, your client should track the expiration time and use the refresh token to get a new one. On exit, your client can revoke the token.
CAUTION Secure your bearer tokens. Do not share tokens with other integrations. When processing completes, your integration can manage the grant by calling GET Revoke/Token.
Requirements
- Permissions: The caller is not required to have any special permissions.
- No bearer access token is necessary for this API call.
Headers
-
Content type:
- Device authorization via a browser: Content-Type:application/x-www-form-urlencoded OR Content-Type:application/json.
- For all other refreshes: Content-Type:application/json.
Parameters
In the request URL, specify vedauth, for example, POST https://tpp.venafi.example//vedauth/authorize/token. All parameter names are case sensitive.
Name |
Description |
---|---|
client_id |
Required for all refresh requests. Case sensitive. The value must match the Client ID in the API integration. For more information, see Setting up token authentication. |
grant_type |
Required for getting the first token after POST Authorize/Device. Specify urn:ietf:params:oauth:grant-type:device_code. |
device_code |
Required for getting the first token after POST Authorize/Device. Valid only once. The device_code from the POST Authorize/Device response. CAUTION Do not log or distribute device_code. |
refresh_token |
The refresh token from a previous call to one of the following:
|
Returns
The response is JSON.Name | Description |
---|---|
HTTP 200 | For valid requests, Authorize/Token returns a HTTP 200 message and the following data:
|
HTTP 400 | If the response is HTTP 400, a generic error appears with a customized description for each Authorize endpoint.
|
Example 1: Refresh a bearer access token
Request for Example 1
POST https://tpp.venafi.example/vedauth/Authorize/Token { "client_id":"MyApp", "refresh_token":"TDctRv/svqcXkDZoG9chQg==" }
Response for Example 1
HTTP/1.1 200 OK { "access_token": "oNUXrKsv2U/zokBN3uCXUA==", "refresh_token": "ESy6T9GhNfx/1vxdEuoFIg==", "expires_in": 7775999, "expires": 1655848416, "token_type": "Bearer", "scope": "certificate:delete,discover,manage", "refresh_until": 1679607837 }
Example 2: Get a token that originated from browser-based authentication
Request for Example 2 URL Encoded
Header: Content-Type:application/urlencoded
(omitted from example)
URL: POST https://tpp.venafi.example/vedauth/Authorize/Token
Body: client_id=MyAPIIntegrationFromUI&device_code=mwMLUQJk...
(text, not JSON)
POST https://tpp.venafi.example/vedauth/Authorize/Token client_id=MyAPIIntegrationFromUI&device_code=mwMLUQJk.../continued on next line &grant_type=urn:ietf:params:oauth:grant-type:device_code
Request for Example 2 JSON
Header: Content-Type:application/json
POST https://tpp.venafi.example/vedauth/Authorize/Token { "client_id":"MyAPIIntegrationFromUI", "device_code":"mwMLUQJk...", "grant_type":"urn:ietf:params:oauth:grant-type:device_code" }
Response for Example 2 (Always JSON)
HTTP/1.1 200 OK { "access_token":"zmbVaygOBFtFV8TlUW9lqg==", "refresh_token":"HKBOMauZqglTwy2odNKlCw==", "expires_in":7775999, "expires":1618855359, "token_type":"Bearer", "scope":"codesign:admin,approve,delete,manage", "refresh_until":1679433024
}