docs
  1. SCAYLE Resource Center
  2. Authentication & Accounts
  3. Handling tokens

Handling Tokens

For the login and registration API endpoints, if the call is successful, the response has this structure:

{
  "token_type": "Bearer",
  "expires_in": 2678400,
  "access_token": "eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJhdWQiOiI1IiwianRpIjoiZjE3MDg2MWY0NDk4N2ExMmQyOTkxZjQ4NzE0ZGU2MTRhNGNjMTg2NjMyNmYxNmM1ODJmNGZkMTA2OTA3ZjM2NTU3NTQyYWI5YzFiY2ViNWEiLCJpYXQiOjE2Nzc2ODA0NzAuNzc3NDI2LCJuYmYiOjE2Nzc2ODA0NzAuNzc3NDM3LCJleHAiOjE2ODAzNTg4NzAuNzU0ODQsInN1YiI6IjEiLCJzY29wZXMiOltdLCJjdXN0b21lcklkIjoxMTcyOTU1MX0.SMf4J2jFDfFAOJnWfhgn4nO3_udda1LhIuVt9r0z1-Aeu8VVdhT53W_zUDAXEIVW3ba2VYne-u8hFxWaT82QXEukRuO8Wn23ZTfjtD7-0mWTz_psrvlg5-DjYZFFXvQ6P6tT9rOc21ibkEYl14-Wd1Ie2zF7HUdOu939rEBcEVU5jmJ-zzyHn7d3Qb1Z7CJL-_EU341rgQyByUCfYTmDAKN6wmI9hGChzgFIDewbV3CHXOs0RjQD6v0fZRZIBb91cdNpw1gLvAY-FhqcenBmGbBx09K9TwBum1zlQYpH_DrBFxH2HEa72-jERJWjUmMBVkSZ_9fHpQkrG3v9h7lDEobfRsfpolF89xCPPl-ug2oz_gLojTsWFXXfchIN-i8CNn3tY4D08qqsOs5lsl-OyA_pievPdSz8Q04pMTjmK1K5myPqONeG6X2gf8BQg--A4weOGYjJIjyo_NcEJN8nCKseg6i06JF2tSQAe0QnOzuVvVOHb-4HlD2h3XF2emGRtxGVXtvFtq5UhFgu9QNmwC8NkLJHBNDTlx7zDybNpHz597usUGV-ye06DZPs0Cx0Ch_RNUO6vV4aQUe0BsiEb4ZGncWt09uqO5iio8IFJTieHYpphPQg99asYhkcGqt1ZMoc6TFpm3lmpZE6uEfzhcEmu9FZA21NTxRtUHLLc9Q",
  "refresh_token": "def50200e47c39150262586222c6b1f9c700b386f2214fc33945a775f574c5902a0b919e701ec9fbfdbc3517d59936e8748443c8ca568d04616056b0755ef59a0281ac53ebec032f7f6155b2bf4cdf7cb845ff0639cc622cfbc1b0c9d72fb443e94f614ee87399f2bd593474b7cab30d4ea6b226c173989f3518ae616c2c8edb502f975c34c569cd70d326d7c9cf440a7f5e2f47f066c562064e9291e3ecd9cbf2a9df0989a48aa2732425478720319be7a3a235ac68c17bb3203b8fd1ba5fcdc71e205c8083b343df68bbfada6abc3d3c1d60eacdcef7d7d9a915e39a0c589766c6315f40c8af0b74af8cea9e230650c47fd425a0b7292862bc753cb97004ec8b505b7a37023ebc2ad3987c6693cbce5abb8e36f74e3b22e0b2d256f5845bbe63d4fddf2752a6a73e4229daa5f3f2c93f54121c58528b1a28f6bf347f1284d3145634ccd8552d7a05d8a086a212a2da2775a93a7ade1c8a42e309085a2a121999"
}

As you can see, you receive two tokens:

  • Access Token (access_token)
  • Refresh Token (refresh_token)

The access token can then be used to load the checkout Webcomponent as Authorization header to call the API endpoints. The refresh token should be kept on the backend side as it has a higher lifetime.

Access Token

The Access Token can be used right away to make calls to APIs that require customer authentication. In these calls, include the Access Token in an Authorization header like this: Authorization: Bearer {access_token}.

Access Tokens are valid for 30 days.

Validate token

To check if the Access Token is still valid use the following endpoint:

curl --location 'https://{{tenant-space}}.auth.scayle.cloud/v1/oauth/token/validate' \
--header 'Content-Type: application/json' \
--header 'Authorization: Bearer {accessToken}'

For this endpoint, you need to pass the actual access token in an Authorization header as Bearer token like this: Authorization: Bearer {access_token}.

If the token is still valid, the endpoint will return a 200 status code. If the token is not valid, it will respond with status code 401.

Refer to the API Specification for further details on validation endpoint.

Delegated validation via JWKS

We also provide an JWKS endpoint, so that you can build a token validation on your own with the public key of the Authentication API.

Refer to the API Specification for further details on Get JSON Web Key Set endpoint.

Refresh Token

When your Access Token has expired you can use the Refresh Token to obtain a fresh Access Token.

curl -X POST --location 'https://{{tenant-space}}.auth.scayle.cloud/v1/oauth/token' \
--header 'Content-Type: application/json' \
--header 'Authorization: Basic {base64Encode({client_id}:{client_secret})}' \
--data-raw '{
  "grant_type": "refresh_token",
  "refresh_token": "def502006e21b4d0c6f154dd21a6fa273dc7dd9856606add87d5aa4a5078bdca44c9d3477f56981450ad40846665183e5ba19d16f4b020e53311e4729d5463cf7b2d79fb72f85c3a4ecb3aea1d881e7a2a1784ca7dc991c1e80066ef55b6c4c50731baa5d81f4ba98685773e24a6ef491490a46a78edfac6d5ff830138d5b946cdbfd71d469328cf5537cef20518097ea3f7664ccda2f061e881671e7647daad0344211e6d4e4dbc2662ad236190508fe68900c4b2deb4e57503af6dcce09c1694fe34c1fb08959b81fd356bf7406b0b8bc36d5f79a2ea939ad83b6d75b54034912992d1faa6f2c4ada225896212769c9d4e96d896a5c9cffbfd025e8dd6bee651b3e0f7e93910593c1a3570d3522bf6a9143b09c44339ea0170d87b153dfafe9a7adeddf59dd9181ad705573d72b0149de9af5fab053c1d409b3d32d6535d4042dc27bd94b198e7aa2756a9391e6c672bcbb1b7795d3045223c81fe15e86db68b"
}'

The Refresh Token is valid for 60 days.

Refer to the API Specification for further details on Create an access token endpoint.

When both your Refresh Token as well as your current Access Token have expired you need to ask the customer to log in again.

Don't expose the refresh token to the frontend.