Authentication API
The Authentication service follows a secure two-step handshake. Users must first verify their identity to receive an SSO code, which is then exchanged for a final JWT (JSON Web Token).
1. Login (Get SSO Code)
Endpoint: POST /api/Authenticate
This is the first step. It validates user credentials against a specific application and client.
Request Body (Login Model)
| Field | Type | Required | Description |
|---|---|---|---|
| username | string | Yes | The user's account username or email. |
| password | string | Yes | The user's password. |
| client_id | Guid | Yes | The unique ID of the client application. |
| App_Id | Guid | Yes | The ID of the specific application environment. |
| scopes | string[] | No | Optional list of permission scopes requested. |
Example Request
{
"username": "admin_user",
"password": "ExamplePassword123",
"client_id": "3fa85f64-5717-4562-b3fc-2c963f66afa6",
"App_Id": "7bd12a33-2112-4a62-a3fc-2c963f66afa6",
"scopes": ["api.read", "api.write"]
}
Responses
- 200 OK: Returns a
stringcontaining the SSO Code. This code is required for Step 2. - 400 Bad Request: Invalid credentials or logging failure.
2. Token Exchange (Get JWT)
Endpoint: POST /api/Authenticate/Token
In this step, you exchange the SSO Code and your private Application Secret for a final JWT. This ensures that only authorized servers can complete the login.
Request Body (CodeExchangeRequest Model)
| Field | Type | Required | Description |
|---|---|---|---|
| AuthorizationCode | string | Yes | The SSO Code received from Step 1. |
| app_Id | string | Yes | The unique ID of your application (e.g., Blazor App ID). |
| app_secret | string | Yes | The private secret key known only to the client and server. |
Example Request
{
"AuthorizationCode": "SSO-CODE-FROM-STEP-1",
"app_Id": "7bd12a33-2112-4a62-a3fc-2c963f66afa6",
"app_secret": "your_private_application_secret"
}
Responses
- 200 OK: Returns a
stringcontaining the JWT. - 400 Bad Request: Invalid SSO submitted.