Request an access token

POST /api/token

Request an access token. Access tokens will expire after an hour. When they are expired, you can request a new one with a refresh token (grant_type = refresh_token). Refresh tokens will expire after a long period of inactivity. Please store both tokens in a safe, encrypted, place!

Request

Body

Pass the following properties via application/json or form encoding in the body of the request.

A dictionary with fields

Field Type Description
grant_type String String. Should be equal to 'code'
client_id ApiClient String value. The client_id of the application that is making the request. Each application has it's own unique client_id that can be obtained on request.
device_name String Name of the device. E.g. the machine's hostname.
device_id String Some unique id found in the device. If you don't find a unique UUID in the device you can create one yourself and store it somewhere to be reused. There can only be one access_token and refresh_token for every user + device_id + client_id combination. The amount of access tokens for the same user and client id is limited. Creating too many access tokens will invalidate older tokens.
code String The code that was returned in the redirect of the authorization code grant flow.
code_verifier String PKCE extension. Code verifier that was used to create the code_challenge which was passed to the server when asking the user permissions. This validates the client that requested the code

or

A dictionary with fields

Field Type Description
grant_type String String. Should be equal to 'refresh_token'
refresh_token String A String value

or

Private password flow, not available for third party applications

Field Type Description
grant_type String String. Should be equal to 'password'
client_id ApiClient String value. The client_id of the application that is making the request. Each application has it's own unique client_id that can be obtained on request.
device_name String Name of the device. E.g. the machine's hostname.
device_id String Some unique id found in the device. If you don't find a unique UUID in the device you can create one yourself and store it somewhere to be reused. There can only be one access_token and refresh_token for every user + device_id + client_id combination. The amount of access tokens for the same user and client id is limited. Creating too many access tokens will invalidate older tokens.
username Email Email address
password String A String value

or

Private session flow, not available for third party applications

Field Type Description
grant_type String String. Should be equal to 'session_id'
client_id ApiClient String value. The client_id of the application that is making the request. Each application has it's own unique client_id that can be obtained on request.
device_name String Name of the device. E.g. the machine's hostname.
device_id String Some unique id found in the device. If you don't find a unique UUID in the device you can create one yourself and store it somewhere to be reused. There can only be one access_token and refresh_token for every user + device_id + client_id combination. The amount of access tokens for the same user and client id is limited. Creating too many access tokens will invalidate older tokens.
session_id String A String value

Example request 1

POST /api/token HTTP/1.1
Host: accounts.bakeronline.be
X-VERSION: 1.9.0
Accept-Language: en-US,en;q=0.5
Content-Type: application/json
Content-Length: 274
{
    "grant_type": "code",
    "client_id": "264ade60a4ca76716a53056cecb171c027586dc722d6cf5ba40b1519de78170910d9ce0602c776f9",
    "device_name": "Simon's iPhone",
    "device_id": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9fdgs",
    "code": "...",
    "code_verifier": "..."
}

Response

Field Type Description
access_token String Hexadecimal string with a maximum length of 256 characters
token_type String String. Should be equal to 'Bearer'
expires_in Int Time in seconds before the token expires
refresh_token String Hexadecimal string with a maximum length of 256 characters

Example response 1

HTTP/1.1 200 OK
Content-Type: application/json; charset=utf-8
Content-Length: 1495

{
    "access_token": "ec4ad8b4eb6e32d41cc1b2a76d1f3c9b8b0e5bc52cccf95a32b25d8c485a963270e21c5f0bcc31e8919b66c4de84b7ef0541584734d1e32de5376103cff157b9\n            bfdfe1250389ada3acb5acf6713036c46aacef14fa624d1fb342e6c88bae58bf62c58a75346bad31bd3632e5ee69955e7c0bddaa782c5c50a53350b25e472501\n            eb25ddb1db38022f122209b9b7d9e0d4e77d90f8b957cd94153332e4e50ba22fba435e0a099b43e7b7a76169af502cc450761fd07cdfdeda433b3ef531d5ebec\n            4982ed103cb4c7903c1794dda58af603e2e5c47582568e5f4c191618f112fad6325f6fe7aaa90b3dd3c5b0168f5dc8a4fbb2d818b2e07db9fe2e1123fc335ed8\n            9cdb6345684d7e65217d22adaafc0f6dd8887720478efcfa8d57504742715011195a6b9a8022b17f603edf7b29a282bdba18026853419b08e1967b101e040b6d",
    "token_type": "Bearer",
    "expires_in": 3600,
    "refresh_token": "ec4ad8b4eb6e32d41cc1b2a76d1f3c9b8b0e5bc52cccf95a32b25d8c485a963270e21c5f0bcc31e8919b66c4de84b7ef0541584734d1e32de5376103cff157b9\n            bfdfe1250389ada3acb5acf6713036c46aacef14fa624d1fb342e6c88bae58bf62c58a75346bad31bd3632e5ee69955e7c0bddaa782c5c50a53350b25e472501\n            eb25ddb1db38022f122209b9b7d9e0d4e77d90f8b957cd94153332e4e50ba22fba435e0a099b43e7b7a76169af502cc450761fd07cdfdeda433b3ef531d5ebec\n            4982ed103cb4c7903c1794dda58af603e2e5c47582568e5f4c191618f112fad6325f6fe7aaa90b3dd3c5b0168f5dc8a4fbb2d818b2e07db9fe2e1123fc335ed8\n            9cdb6345684d7e65217d22adaafc0f6dd8887720478efcfa8d57504742715011195a6b9a8022b17f603edf7b29a282bdba18026853419b08e1967b101e040b6d"
}
1.9.0 stable