POST /api/token
Request an access token. Access tokens will expire after an hour. When they are expired, you can request a new one with a refresh token (grant_type = refresh_token). Refresh tokens will expire after a long period of inactivity. Please store both tokens in a safe, encrypted, place!
Pass the following properties via application/json or form encoding in the body of the request.
A dictionary with fields
| Field | Type | Description |
|---|---|---|
| grant_type | String | String. Should be equal to 'code' |
| client_id | ApiClient | String value. The client_id of the application that is making the request. Each application has it's own unique client_id that can be obtained on request. |
| device_name | String | Name of the device. E.g. the machine's hostname. |
| device_id | String | Some unique id found in the device. If you don't find a unique UUID in the device you can create one yourself and store it somewhere to be reused. There can only be one access_token and refresh_token for every user + device_id + client_id combination. The amount of access tokens for the same user and client id is limited. Creating too many access tokens will invalidate older tokens. |
| code | String | The code that was returned in the redirect of the authorization code grant flow. |
| code_verifier | String | PKCE extension. Code verifier that was used to create the code_challenge which was passed to the server when asking the user permissions. This validates the client that requested the code |
or
A dictionary with fields
| Field | Type | Description |
|---|---|---|
| grant_type | String | String. Should be equal to 'refresh_token' |
| refresh_token | String | A String value |
or
Private password flow, not available for third party applications
| Field | Type | Description |
|---|---|---|
| grant_type | String | String. Should be equal to 'password' |
| client_id | ApiClient | String value. The client_id of the application that is making the request. Each application has it's own unique client_id that can be obtained on request. |
| device_name | String | Name of the device. E.g. the machine's hostname. |
| device_id | String | Some unique id found in the device. If you don't find a unique UUID in the device you can create one yourself and store it somewhere to be reused. There can only be one access_token and refresh_token for every user + device_id + client_id combination. The amount of access tokens for the same user and client id is limited. Creating too many access tokens will invalidate older tokens. |
| username | Email address | |
| password | String | A String value |
or
Private session flow, not available for third party applications
| Field | Type | Description |
|---|---|---|
| grant_type | String | String. Should be equal to 'session_id' |
| client_id | ApiClient | String value. The client_id of the application that is making the request. Each application has it's own unique client_id that can be obtained on request. |
| device_name | String | Name of the device. E.g. the machine's hostname. |
| device_id | String | Some unique id found in the device. If you don't find a unique UUID in the device you can create one yourself and store it somewhere to be reused. There can only be one access_token and refresh_token for every user + device_id + client_id combination. The amount of access tokens for the same user and client id is limited. Creating too many access tokens will invalidate older tokens. |
| session_id | String | A String value |
POST /api/token HTTP/1.1
Host: accounts.bakeronline.be
X-VERSION: 1.9.0
Accept-Language: en-US,en;q=0.5
Content-Type: application/json
Content-Length: 274
{
"grant_type": "code",
"client_id": "264ade60a4ca76716a53056cecb171c027586dc722d6cf5ba40b1519de78170910d9ce0602c776f9",
"device_name": "Simon's iPhone",
"device_id": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9fdgs",
"code": "...",
"code_verifier": "..."
}| Field | Type | Description |
|---|---|---|
| access_token | String | Hexadecimal string with a maximum length of 256 characters |
| token_type | String | String. Should be equal to 'Bearer' |
| expires_in | Int | Time in seconds before the token expires |
| refresh_token | String | Hexadecimal string with a maximum length of 256 characters |
HTTP/1.1 200 OK
Content-Type: application/json; charset=utf-8
Content-Length: 1495
{
"access_token": "ec4ad8b4eb6e32d41cc1b2a76d1f3c9b8b0e5bc52cccf95a32b25d8c485a963270e21c5f0bcc31e8919b66c4de84b7ef0541584734d1e32de5376103cff157b9\n bfdfe1250389ada3acb5acf6713036c46aacef14fa624d1fb342e6c88bae58bf62c58a75346bad31bd3632e5ee69955e7c0bddaa782c5c50a53350b25e472501\n eb25ddb1db38022f122209b9b7d9e0d4e77d90f8b957cd94153332e4e50ba22fba435e0a099b43e7b7a76169af502cc450761fd07cdfdeda433b3ef531d5ebec\n 4982ed103cb4c7903c1794dda58af603e2e5c47582568e5f4c191618f112fad6325f6fe7aaa90b3dd3c5b0168f5dc8a4fbb2d818b2e07db9fe2e1123fc335ed8\n 9cdb6345684d7e65217d22adaafc0f6dd8887720478efcfa8d57504742715011195a6b9a8022b17f603edf7b29a282bdba18026853419b08e1967b101e040b6d",
"token_type": "Bearer",
"expires_in": 3600,
"refresh_token": "ec4ad8b4eb6e32d41cc1b2a76d1f3c9b8b0e5bc52cccf95a32b25d8c485a963270e21c5f0bcc31e8919b66c4de84b7ef0541584734d1e32de5376103cff157b9\n bfdfe1250389ada3acb5acf6713036c46aacef14fa624d1fb342e6c88bae58bf62c58a75346bad31bd3632e5ee69955e7c0bddaa782c5c50a53350b25e472501\n eb25ddb1db38022f122209b9b7d9e0d4e77d90f8b957cd94153332e4e50ba22fba435e0a099b43e7b7a76169af502cc450761fd07cdfdeda433b3ef531d5ebec\n 4982ed103cb4c7903c1794dda58af603e2e5c47582568e5f4c191618f112fad6325f6fe7aaa90b3dd3c5b0168f5dc8a4fbb2d818b2e07db9fe2e1123fc335ed8\n 9cdb6345684d7e65217d22adaafc0f6dd8887720478efcfa8d57504742715011195a6b9a8022b17f603edf7b29a282bdba18026853419b08e1967b101e040b6d"
}