Table of Contents

Authentication API Documentation

Overview

This API implements the OAuth 2.0 Resource Owner Password Credentials flow to obtain access tokens. Used for authenticating users and generating tokens for API access.

API Endpoint

  • URL: {{host}}/connect/token
  • Method: POST
  • Content-Type: application/x-www-form-urlencoded

Request Parameters

Parameter Required Description
grant_type ✅ Yes Must be password
client_id ✅ Yes Client application identifier
username ✅ Yes User's email/username
password ✅ Yes User's password

Sample Request

curl --location '{{host}}/connect/token' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'grant_type=password' \
--data-urlencode 'client_id=YOUR_CLIENT_ID' \
--data-urlencode 'password=@Password123' \
--data-urlencode 'username=account@tripdata.vn'

Sample Response

{
  "access_token": "iufhfWPkY_LOP8haywhRijU7KfntoXW3_uAoyBnFlts",
  "expires_in": 3600,
  "token_type": "Bearer",
  "refresh_token": "tttf0EqQvHlmLQKasoTDY7ZlyQLw5Zdtlt8tcqDJ5Bw",
  "scope": "client-data config-data hub-data offline_access user-data"
}

Response Field Description

Field Type Description
access_token String Bearer token for API authorization
expires_in Number Token validity in seconds (3600s = 1 hour)
token_type String Token type (always Bearer)
refresh_token String Token to obtain new access tokens
scope String Granted permissions (space-separated)

Scopes Reference

Scope Description
client-data Access to client-specific data
config-data Read configuration data
hub-data Access TripData Hub services
offline_access Allows refresh token usage
user-data Access user profile information

Security Notes

  1. Always use HTTPS for token requests
  2. Store tokens securely - never expose in client-side code
  3. Refresh tokens should be encrypted at rest
  4. Rotate client secrets regularly
  5. Use PKCE for public clients if implemented

Usage Example

GET /api/protected-resource HTTP/1.1
Host: api-dev.tripdata.vn
Authorization: Bearer iufhfWPkY_LOP8haywhRijU7KfntoXW3_uAoyBnFlts

Warning: This authentication method should only be used by trusted clients. For web/mobile apps, consider using Authorization Code flow with PKCE instead.