Skip to content
Aurora API

Authentication

This API is secured using OpenID Connect and OAuth 2.0 Client Credentials flow.

Tokens for the dev instance are not compatible with the live instance and vice-versa.

Retrieving a token

Section titled “Retrieving a token”

OpenID Connect

Section titled “OpenID Connect”

If your client library supports OpenID Connect, the discovery endpoint is:

Dev:

https://aurora-dev.uk.auth0.com/.well-known/openid-configuration

Live:

https://auth.aurora.co.uk/.well-known/openid-configuration

OAuth 2.0

Section titled “OAuth 2.0”

The Client Credentials flow requires sending a request to the token endpoint containing a client id and a client secret. The response will contain a token that can be used to authenticate with the API when used as a Bearer token.

The client id and client secret can be specified in either the Header or Body, and do not require any Scopes to be requested.

An audience parameter must also be specified in the request body. The values are:

Dev:

https://dev.client.integration.aurora.co.uk

Live:

https://api.client.integration.aurora.co.uk

The token endpoints are:

Dev:

https://aurora-dev.uk.auth0.com/oauth/token

Live:

https://auth.aurora.co.uk/oauth/token

Manually

Section titled “Manually”

If you are not using a client library that supports OpenID Connect or OAuth 2.0, then you will need to acquire tokens manually. You do this by sending an HTTP POST request to the token endpoint with your client id and client secret.

Specify the grant_type, audience, client id, and client secret in the request body. For example:

Dev:

POST https://aurora-dev.uk.auth0.com/oauth/token
Content-Type: application/x-www-form-urlencoded


client_id=**********&
client_secret=**********&
audience=https://dev.client.integration.aurora.co.uk&
grant_type=client_credentials

Live:

POST https://auth.aurora.co.uk/oauth/token
Content-Type: application/x-www-form-urlencoded


client_id=**********&
client_secret=**********&
audience=https://api.client.integration.aurora.co.uk&
grant_type=client_credentials

The response will contain an access_token, a token_type, and an expires_in. The expires_in specifies the number of seconds the token will remain valid for. The access_token is the token to be provided as a Bearer token for authentication.

Using a token

Section titled “Using a token”

Once you have obtained an access token you can use it to authenticate requests.

The token should be provided as a Bearer token in the Authentication header on all authenticated requests.

For example:

GET https://{{dev|api}}.client.integration.aurora.co.uk/Accounts?orderBy=id asc
Authentication: Bearer **********

Handling Errors

Section titled “Handling Errors”

The API may return a 401 Unauthorized response, even for an access_token that hasn’t expired yet. These responses should be retried after obtaining a new token.