Authentication with OAuth2
This tutorial explains how to connect to the API Gateway (or Sandbox) with (test) Client credential, using OAuth2.0 for authorization and authentication. In order to execute these steps, you will need the Client ID and Client secret, provided with the creation of your client. You can also import the Postman environment of your region, as explained here before starting the authentication tutorial. That will pre-fill all the required variables into your environment, easy and quick!
Access tokens (and refresh tokens) can be generated using the URL of the Founda Identity API:
For the EU region:
https://identity-oauth.<region>.founda.com/oauth2/token
For the US region:
https://auth.<region>.founda.com/oauth2/token
The <region> should be defined according to the different Founda regions.
You can get a new access token by either:
- Using the pre-defined Postman environment,
- Use the example cURL command below, or
- Follow the manual set-up steps in Postman.
In order to get an access token you can use the following cURL command as an example:
If you have downloaded the Postman Environment at the beginning, most variables will be pre-filled. Otherwise configure the following settings in the Authorization tab:
- Type: OAuth2.0
- Grant Type: Client Credentials
- Access token URL: https://identity-oauth.eu.founda.com/oauth2/token or https://auth.us.founda.com/oauth2/token depending on your region.
- Client ID: enter your Client's ID
- Client Secret: enter your Client's Secret
- Client Authentication: "Send client credentials in body"
After filling in the required fields, choose "Get New Access Token" and use the new token (Postman will copy the token to the token field).
Please keep your API keys private.
API Keys created should never be exposed in untrusted contexts. Never put Client Credentials in client-side JavaScript, embed it in a web page, or otherwise allow users to access it. If Client Credentials are exposed, lost, or stolen, then it is compromised. Revoke compromised keys immediately from your Clients page to prevent unauthorized access.