Authorization Service
Access info
| Endpoint | https://authorization-api.socrate.io/graphql |
| Required access keys | Tenant-level service access key |
| Pricing | Please contact us for details at contact@bitsoftware.ro |
| Notes | To call the service, the access key must be provided in the x-api-key header of the HTTP request. If you are using the GraphQL console, you can view the service’s documentation and schema only after entering an access key. Make sure that the scope of the key allows access to the queries and mutations that you require. For example, to grant the key access to all queries and mutations, the keys’s scope must be set to authorization-api:query:* authorization-api:mutation:*. |
Usage
The Authorization Service enables callers to generate service access tokens. A service access token is similar to a tenant-level security access key, in the sense that it provides access to one or more SBS services to a given tenant, for a given application. Like service access keys, service access tokens have a scope that defines which services (or even which queries and mutations within a service) are available to the bearer of the token.
Unlike service access keys, service access tokens expire, and thus are more suitable for use on the client side of your application. You can specify the token’s scope and expiry period when generating the token.
There is one more important difference between service access keys and service access tokens. To generate the former, you need access either to the SBS Console or to the Account API. To generate a service access token, however, you need a service access key whose scope allows access to the Authorization Service.
Note that service access tokens cannot be deleted or otherwise invalidated. They will automatically cease to be valid once they expire. In the event that you need to block tenant’s access to the resource before the token expired, you can generate a Service Access Denial.
A service access token provides the same level of access like a tenant-level security access key. Therefore, it cannot be used to access services that accept an application-level security access key only (for example, User Management Service and OAuth 2.0 Service). If a service accepts both a tenant-level or application-level security access key, then you can access it with a security access token.
How to use service access tokens
With a service access token, you can access SBS resources by populating the Authorization header of the HTTP(S) request as follows:
{"Authorization": "Bearer some-service-access-token"}
Where the value after “Bearer” is a service access token generated through the Authorization service.
Queries
version
Returns the API version.
Mutations
generateServiceAccessToken
Generates a service access token.
Arguments
| Attribute | Type | Description |
|---|---|---|
| input | GenerateServiceAccessTokenInput! |
Provides input data to the mutation. |
GenerateServiceAccessTokenInput input
| Attribute | Type | Description |
|---|---|---|
| expiresIn | Int! |
Specifies the number of seconds after which the token will expire. |
| scope | Scope! |
Defines the extent of permissions available to the bearer of the token. For example, a scope like email-api:query:* email-api:mutation:* grants access to all queries and mutations of the Email Service. For more information about the syntax, see Restrict access to services. |
Result
ServiceAccessToken type
| Attribute | Type | Description |
|---|---|---|
| id | ID |
The unique identifier of the service access token. |
| accessToken | String |
The value of the service access token. |
| expiresIn | Int |
The number of seconds (since generation) after which the token expires. |
| scope | Scope |
The extent of permissions available to the bearer of the token. |
| createdAt | DateTime |
The date and time when the token was created. |
Example
The following call generates a service access token that grants access to all queries and mutations of the Email Service and File Management Service. The token is set to expire in 1 day (86400 seconds).
mutation generateToken($input:ServiceAccessTokenInput!) {
generateServiceAccessToken(input:$input) {
id
accessToken
expiresIn
scope
createdAt
}
}
{
"input": {
"expiresIn": 86400,
"scope": "email-api:query:* email-api:mutation:* file-management-api:query:* file-management-api:mutation:*"
}
}