Authentication API Documentation
Overview
This API implements the OAuth 2.0 Resource Owner Password Credentials flow to obtain access tokens. Used for authenticating users and generating tokens for API access.
API Endpoint
- URL:
{{host}}/connect/token
- Method:
POST
- Content-Type:
application/x-www-form-urlencoded
Request Parameters
| Parameter |
Required |
Description |
grant_type |
✅ Yes |
Must be password |
client_id |
✅ Yes |
Client application identifier |
username |
✅ Yes |
User's email/username |
password |
✅ Yes |
User's password |
Sample Request
curl --location '{{host}}/connect/token' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'grant_type=password' \
--data-urlencode 'client_id=YOUR_CLIENT_ID' \
--data-urlencode 'password=@Password123' \
--data-urlencode 'username=account@tripdata.vn'
Sample Response
{
"access_token": "iufhfWPkY_LOP8haywhRijU7KfntoXW3_uAoyBnFlts",
"expires_in": 3600,
"token_type": "Bearer",
"refresh_token": "tttf0EqQvHlmLQKasoTDY7ZlyQLw5Zdtlt8tcqDJ5Bw",
"scope": "client-data config-data hub-data offline_access user-data"
}
Response Field Description
| Field |
Type |
Description |
access_token |
String |
Bearer token for API authorization |
expires_in |
Number |
Token validity in seconds (3600s = 1 hour) |
token_type |
String |
Token type (always Bearer) |
refresh_token |
String |
Token to obtain new access tokens |
scope |
String |
Granted permissions (space-separated) |
Scopes Reference
| Scope |
Description |
client-data |
Access to client-specific data |
config-data |
Read configuration data |
hub-data |
Access TripData Hub services |
offline_access |
Allows refresh token usage |
user-data |
Access user profile information |
Security Notes
- Always use HTTPS for token requests
- Store tokens securely - never expose in client-side code
- Refresh tokens should be encrypted at rest
- Rotate client secrets regularly
- Use PKCE for public clients if implemented
Usage Example
GET /api/protected-resource HTTP/1.1
Host: api-dev.tripdata.vn
Authorization: Bearer iufhfWPkY_LOP8haywhRijU7KfntoXW3_uAoyBnFlts
Warning: This authentication method should only be used by trusted clients. For web/mobile apps, consider using Authorization Code flow with PKCE instead.