In order to consume APIs on the AT&T API Marketplace (APIM) https://apimarket.att.com you need to provide a valid OpenID Connect 1.0 (OIDC) access token via all REST requests. It is expected within HTTP Authorization header as a bearer token.
There are two authentication flows supported:
OIDC password grant flow- When there is a user to be authenticated, this is the supported flow.
- As per spec,
grant_typeis password. - It requires email address as
username, APIM password aspasswordand Account Client ID or Public Project Key asclient_id.
OIDC client credentials grant flow- When being authenticating entity is a project, this flow should be used.
- As per spec,
grant_typeis client_credentials. - It requires Private Project Key as
client_idand Private Project Secret assecret.
A successful authentication provides three OIDC tokens in JSON Web Tokens (JWT) format in Base64 encoded payload part:
access_token: To be set into HTTP Authorization header of APIM REST APIs.refresh_token: To be provided to refresh the OIDC tokens without user credentials.id_token: To be used to fetch thepreferred_username(your APIM userId (projects also have APIM userId) to be provided within REST API paths) andcall-did-list/sms-did-list(telephone numbers assigned to this user/project).
access_tokenis valid for 8 hours, andrefresh_tokenexpires in 14 days.
For more details about authentication flows and JWT examples, you can refer to Authentication and Authorization on the AT&T API Marketplace Developer Documentation pages https://apimarket.att.com/developer