Skip to main content

Issue IAM token

Issue token request - Bearer token

When issuing an Akkess token the caller must supply

  • Http header Authorization with the IdP's token. Typically Bearer <IdP token>
  • The tenantId for which the caller wants to get a token for
  • TTL for the token in seconds
  • Requested token format

Request headers

  • accept: application/jwt - The client must support a JWT token in the response
  • authorization - The IdP token
  'accept: application/jwt' \
  'authorization: BEARER <IdPToken>' \

Request payload

  • tenantId - The tenant for which the token should be issued
  • expiryInSecs - The time to live for the token in seconds
  • tokenFormat - The format of the token. Currently only t1 is supported.
{
  "tenantId": "63c65dee83abd41be9f61108",
  "expiryInSecs": 3600,
  "tokenFormat": "t1"
}

Full example of issuing an Akkess token

curl 'https://api.akkess.io/authorization/v1/tokens' \
  -H 'authority: api.akkess.io' \
  -H 'accept: application/jwt' \
  -H 'authorization: BEARER <IdPToken>' \
  -H 'cache-control: no-store, no-cache, must-revalidate' \
  -H 'content-type: application/json' \
  -H 'if-modified-since: 0' \
  --data-raw '{"expiryInSecs":3600,"tenantId":"63c65dee83abd41be9f61108","tokenFormat":"t1"}' \
  --compressed
JWT - JSON Web Token

A JSON Web Token (JWT) is a compact, URL-safe means of representing claims to be transferred between two parties.

The claims in a JWT are encoded as a JSON object that is used as the payload of a JSON Web Signature (JWS) structure or as the plaintext of a JSON Web Encryption (JWE) structure, enabling the claims to be digitally signed or integrity protected with a Message Authentication Code (MAC) and/or encrypted.

Issue token response

A signed JSON Web Token issued by Akkess.

Raw

eyJraWQiOiI2ZTg3NDNiNy01MzY4LTQ2YjQtYjU4NS05MGFjNWYyOGIzYjYiLCJjdHkiOiJ0MSIsImFsZyI6IlJTMjU2In0.eyJqdGkiOiI2NWZiOWJiMS03MmFlLTQzYTItODhmOS1mYjY1NzI3NGQ2YTYiLCJpc3MiOiJodHRwczovL2FwaS5kZXYuYWtrZXNzLmNvbS9hdXRob3JpemF0aW9uL3YxIiwic3ViIjoiNjQxMzE4ZTA1ZTAwYTQ3NjFiOGZjZjk5IiwiYXVkIjoiNjNjNjVkZWU4M2FiZDQxYmU5ZjYxMTA4IiwiZXhwIjoxNzEzOTAyMDc4LCJpYXQiOjE3MTM4OTg0NzgsImFjYyI6IjYzYzY1ZGVlODNhYmQ0MWJlOWY2MTEwNCIsImFwcCI6IjYzYzY1ZGVlODNhYmQ0MWJlOWY2MTEwNiIsInRpZCI6IjYzYzY1ZGVlODNhYmQ0MWJlOWY2MTEwOCIsImFycyI6W3siciI6WyJVU0VSIl0sIm4iOlsiNjQxMzFiODU1ZTAwYTQ3NjFiOGZjZmEyIl19XX0.a-hZfnpz0NoAeMibPHjp_YimGPOjEhJ7CcMs7VfaL-FQdyogtU0_bCATTCXXU5fEN1_82UJd5VlwpMCic2yK5fPnIPUun0AdJUgkt0fTpURamiygyxy5wq5dVeQ1UDWnCL2Az4uSEwDxKxYUCgbj-__cf9nWP867G2Vvyccj72eR6UH5zKbi_9ooOTz8LspboETTvMtcqFj8RWQ9qjdS2GOaOHAXGV5KqZEEcQeaXv6J2kWnd0tr7bFbKkJRemvqgI8hHvpJdcaldkSaqPSKRkCP7DT-8NCCSkOQrK9gxEjaVyuaGJPF0-uTM0f8YDCl0O9f0wKNdGM3rlgAi5Ncrg
  • kid - The key id of the key used to sign the token
  • cty - The content type of the token
  • alg - The algorithm used to sign the token
{
  "kid": "6e8743b7-5368-46b4-b585-90ac5f28b3b6",
  "cty": "t1",
  "alg": "RS256"
}

Body

  • jti - The unique identifier for the token
  • iss - The issuer of the token
  • sub - The subject of the token - the Akkess Actor Id
  • aud - The audience of the token - the Akkes Tenant Id
  • exp - The expiration time of the token
  • iat - The time the token was issued
  • acc - The Akkess account id
  • app - The Akkess application id
  • ars - The access roles and scope
{
  "jti": "65fb9bb1-72ae-43a2-88f9-fb657274d6a6",
  "iss": "https://api.akkess.io/authorization/v1",
  "sub": "641318e05e00a4761b8fcf99",
  "aud": "63c65dee83abd41be9f61108",
  "exp": 1713902078,
  "iat": 1713898478,
  "acc": "63c65dee83abd41be9f61104",
  "app": "63c65dee83abd41be9f61106",
  "tid": "63c65dee83abd41be9f61108",
  "ars": [
    {
      "r": [
        "USER"
      ],
      "n": [
        "64131b855e00a4761b8fcfa2"
      ]
    }
  ]
}
Copyright © 2019 Akkess