Authorization Overview Guide
SEI uses OAuth 2.0, the authorization and authentication mechanism preferred in the industry. OAuth 2.0 ensures security by granting deliberate and verified permissions through API Keys. This document provides a general overview of the process using the authorization code grant type and the API calls used to interact with our service.
An application making SEI API Requests from a Client/Server or Server/Server type of infrastructure will leverage the grant_type client_credentials while minting an oAuth token from the Token API. The oAuth token has a 60 minutes active time to live (TTL) and 30 minutes inactive TTL. The oAuth token obtained from client_credentials cannot be refreshed.
Mutual or 2-Way TLS is typically used when user context is not present and a Client/Server application is registered through the SEI Developer Portal. For more information, view Implementing Two-Way TLS.
Before beginning this guide, it may be helpful to familiarize yourself with OAuth2 and how it works.
Using OAuth
Before you can make any OAuth calls, you must obtain an AppKey and AppSecret. These can be found within MyApps. If you have not created an app yet, view our 'How to add an app' guide to walk through the progress.
How To Authorize and Create an OAuth Token: Overview
Please view the detailed pages for more information.
- Refer to the OAuth documentation. Your application needs to call this API. The appropriate URL depends on the use case and application type. This call will execute an HTTP 302 Redirect from your web application to the SEI OAuth Login Page. See OAuth Authorize for more information.
- After logging in, the SEI API will redirect back to your application using the redirect_url parameter specified in the /authorize call. The query parameters of the GET call will contain an authorization code that is valid for 20 seconds.
- Using this authorization code, your application can now call the OAuth API and obtain the two tokens Auth and Refresh. The Auth token expires after 60 minutes while the Refresh token expires after 30 days. See Create OAuth Token for more information.
How To Use an OAuth Token: Overview
Now you can begin to make API calls. The OAuth token is passed to existing API calls in the “AUTHORIZATION” HTTP header as a ‘Bearer’ token. For example:
Authorization: Bearer <access_token>
To re-establish a session with the API, use the /v2/oauth/token API call with the refresh_token grant type and pass the ‘refresh’ token. Doing this means you do not have to re-execute the three legs of the authorize flow.
See OAuth Token API for more information.
In addition, pass the token to the /v2/oauth/tokeninfo API call to retrieve details about the token itself, including when it expires and the scope it was issued for.
See Get Token Info for more information.