Issue IAM token
Issue token request - Bearer token
When issuing an Akkess token the caller must supply
- Http header
Authorizationwith the IdP's token. TypicallyBearer <IdP token> - Http header
Idp-Keywhich reference the IdP configuration entry - The
tenantIdfor which the caller wants to get a token for - TTL for the token in seconds
- Requested token format
Request headers
accept: application/jwt- The client must support a JWT token in the responseauthorization- The IdP tokenidp-key- The IdP token
'accept: application/jwt' \
'authorization: BEARER <IdPToken>' \
'idp-key: idp-xyz' \
Request payload
tenantId- The tenant for which the token should be issuedexpiryInSecs- The time to live for the token in secondstokenFormat- The format of the token. Currently onlyt1is supported.
{
"tenantId": "2024-06-20-demo-6673e4b60d5c8741f5e573b0",
"expiryInSecs": 3600,
"tokenFormat": "t1"
}
Full example of issuing an Akkess token
curl 'https://api.akkess.io/authentication/v1/tokens' \
-H 'authority: api.akkess.io' \
-H 'accept: application/jwt' \
-H 'authorization: BEARER <IdPToken>' \
-H 'idp-key: <IdP-Key>' \
-H 'cache-control: no-store, no-cache, must-revalidate' \
-H 'content-type: application/json' \
-H 'if-modified-since: 0' \
--data-raw '{"expiryInSecs":3600,"tenantId":"2024-06-20-demo-6673e4b60d5c8741f5e573b0","tokenFormat":"t1"}' \
--compressed
JWT - JSON Web Token
A JSON Web Token (JWT) is a compact, URL-safe means of representing claims to be transferred between two parties.
The claims in a JWT are encoded as a JSON object that is used as the payload of a JSON Web Signature (JWS) structure or as the plaintext of a JSON Web Encryption (JWE) structure, enabling the claims to be digitally signed or integrity protected with a Message Authentication Code (MAC) and/or encrypted.
Issue token response
A signed JSON Web Token issued by Akkess.
Raw
eyJraWQiOiI0NTA3MzkxMC1mNzIyLTQ0MzEtODkyNy0zNTNkNjc2ZDkzYWQiLCJjdHkiOiJ0MSIsImFsZyI6IlJTMjU2In0.eyJqdGkiOiJkZDdiMzA0Ni1hZjdjLTQ5NWItYTc1OC0xZmE1OTk2MTFlNmUiLCJpc3MiOiJodHRwczovL2FwaS5ha2tlc3MuaW8vYXV0aGVudGljYXRpb24vdjEiLCJzdWIiOiI2NjczZTZhNDc2ZGJlMzI3OWNlYTc5YzciLCJhdWQiOiIyMDI0LTA2LTIwLWRlbW8tNjY3M2U0YjYwZDVjODc0MWY1ZTU3M2IwIiwiZXhwIjoxNzM4ODc1NDc4LCJpYXQiOjE3Mzg4NzE4NzgsImFjYyI6IjY2NmMwODQyYmMxMzU2Nzk3MzczMWFjZiIsImFwcCI6ImRlbW8tNjY3M2UzZDcwZDVjODc0MWY1ZTU3M2E4IiwidGlkIjoiMjAyNC0wNi0yMC1kZW1vLTY2NzNlNGI2MGQ1Yzg3NDFmNWU1NzNiMCIsImFycyI6W3siciI6WyJyZWd1bGFyLXVzZXIiXSwibiI6WyI2NjczZTY1MTc2ZGJlMzI3OWNlYTc5YzAiXX1dfQ.ghoZ_SItwc7M-Z1bD4MWOKAHnmTGVr--KuJ9BSSObk0HGHQiLpTdILwXn20A1OhM1gbMuH3zebzZvlu894r95e4cuy8ELEfW2fqKGfnuIBWocKazsbinFBI9PacXetKLsVQsKURIzgzSeFmx_lZ81RcmdTgvz8O_z2ZeFjprhS1awXKxcgvn1gY31HBIqYMsiwiHaU7t2oXTjtGcfVXY31COF06j0tuopPHC3QR5d6wX5wX3yvlbRp2U3YJEjBOgouoiQXmjWYiMJNEwVYLDAiBvEHzh1vYW5k-YctQ9FIzVLUASgXw653p4QCR8CnHIe5NHmVTvACPReNbVZTvv6g
Header
kid- The key id of the key used to sign the tokencty- The content type of the tokenalg- The algorithm used to sign the token
{
"kid": "45073910-f722-4431-8927-353d676d93ad",
"cty": "t1",
"alg": "RS256"
}
Body
jti- The unique identifier for the tokeniss- The issuer of the tokensub- The subject of the token - the Akkess Actor Idaud- The audience of the token - the Akkess Tenant Idexp- The expiration time of the tokeniat- The time the token was issuedacc- The Akkess account idapp- The Akkess application idtid- The Akkess tenant Idars- The access roles and scope
{
"jti": "dd7b3046-af7c-495b-a758-1fa599611e6e",
"iss": "https://api.akkess.io/authentication/v1",
"sub": "6673e6a476dbe3279cea79c7",
"aud": "2024-06-20-demo-6673e4b60d5c8741f5e573b0",
"exp": 1738875478,
"iat": 1738871878,
"acc": "666c0842bc13567973731acf",
"app": "demo-6673e3d70d5c8741f5e573a8",
"tid": "2024-06-20-demo-6673e4b60d5c8741f5e573b0",
"ars": [
{
"r": [
"regular-user"
],
"n": [
"6673e65176dbe3279cea79c0"
]
}
]
}