Authorization

We implemented the OAuth 2.0 standard so you can communicate with our APIs with a single Bearer token.

Using the token

Once you receive the access token, you must include it as an authorization header every time you communicate with our APIs.

Example in Curl:

curl https://api.pomelo.la -H 'Authorization: Bearer eyJhbGciOiJSUzI1Ni'

Each API validates the access token and verifies that the scope matches the required permissions.

For the requests to be valid, communicate with our APIs only via HTTPS and include the authorization header indicating that it is a Bearer type.

Request token

The endpoint /oauth/token is used to obtain an access token. When performing a successful authentication, be sure to save it as you will need it to communicate with our APIs.

Each token is a JWT that contains an expiration time. We will return the same token to you each time you request one, until it expires. When it expires, we will provide a new one.

Available parameters
Header Parameters
content-typestringrequired
Enum: application/json
Body Parameters
client_idstringrequired
client_secretstringrequired
audiencestringrequired
Audiencia de API
grant_typestringrequired
Enum: client_credentials
Response details
access_tokenstring
Example: eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6IloyTmZOUTQwWVVrNXh0WnNRRDlHYSJ9.eyJodHRwczovL3BvbWVsby5sYS9jbGllbnRfaWQiOiIyZmYxMjM0MTY3MzRmMjI5MmUxMTE0ODdiZWRlZmMxZTI1NDkxY2E4YzI1ZTEyMjAzM2E5MGE3NjM2ZDllNDI0IiwiaXNzIjoiaHR0cHM6Ly9wb21lbG8tZGV2ZWxvcC51cy5hdXRoMC5jb20vIiwic3ViIjoiMWNxdXBVM0U0bFpIY2U2ZFdVbHpuU29nZU1rR3ozelFAY2xpZW50cyIsImF1ZCI6Imh0dHBzOi8vYXV0aC1kZXYucG9tZWxvLmxhIiwiaWF0IjoxNjMxMDM1MDQzLCJleHAiOjE2MzExMjE0NDMsImF6cCI6IjFjcXVwVTNFNGxaSGNlNmRXVWx6blNvZ2VNa0d6M3pRIiwic2NvcGUiOiJhcmc6Y2FyZHM6Z2V0LWNhcmQgYXJnOmNhcmRzOmdldC11c2VyLWNhcmQgYXJnOmNhcmRzOmNyZWF0ZS1iYXRjaCBhcmc6Y2FyZHM6YWN0aXZhdGUtY2FyZCBhcmc6Y2FyZHM6Y3JlYXRlLWNhcmQgYXJnOmNhcmRzOmNyZWF0ZS1jYXJkIGFyZzpjYXJkczp1cGRhdGUtYnVsay1jYXJkcyBhcmc6Y2FyZHM6c2VhcmNoLWNhcmQgYXJnOnVzZXJzOmdldC11c2VyIGFyZzp1c2VyczpjcmVhdGUtdXNlciBhcmc6dXNlcnM6c2VhcmNoLXVzZXIgYXJnOnVzZXJzOnVwZGF0ZS11c2VyIiwiZ3R5IjoiY2xpZW50LWNyZWRlbnRpYWxzIn0.DkNi4BtLVdq1YMN5UFrtqvm2p-3DExt1X90janSfRWLbZHo2dtPtXkGfRF9kpdD3ZDA98euB68pt5nxZAGThaqm5g59pKkRz0nFzsDGUCH-Mfd6vYKGksO-dlyTeOwHyF189zYSvOMHcdaEOY2QybCWheOQnUgpFB7WaIPk6M8ZWI9SHSPtUjt6ePY7jsvDmVTtpXQM3ttB-0OarKN0qPi-A7WeD13Q7FuZHgQBxMipMlxeOfsz-RDOMwX7zTBhVNFp-Eu1Jtx1vFHVhDbG7tDW5N2np7kZvYXS5-wSP-fZMc57I1NmXrjbCACMWFhsnqTuHRJiHn3l-kG6nb7_EIw
scopestring
Example: arg:cards:get-card arg:cards:get-user-card
expires_ininteger
token_typestring
Example: Bearer
Was this section helpful to you?
POST/oauth/token
{
"client_id":
"3LBFuOiEHrl4BailkRlsnIMmSctMLb7A"
"client_secret":
"s5u3oYK0-A9CV6TkszPQThUa_qxMfr2yyd3-eJwQ ..."
"audience":
"https://auth-dev.pomelo.la"
"grant_type":
"client_credentials"
}
Response examples

Revoke token

The '/oauth/token/revoke' endpoint is used to revoke an access token from our cache. By revoking the token you can request a new one with the '/oauth/token' endpoint

Available parameters
Header Parameters
content-typestringrequired
Enum: application/json
Body Parameters
client_idstringrequired
client_secretstringrequired
audiencestringrequired
Audiencia de API
grant_typestringrequired
Enum: client_credentials
Response details
statusstring
Enum: SuccessError
Was this section helpful to you?
POST/oauth/token/revoke
{
"client_id":
"3LBFuOiEHrl4BailkRlsnIMmSctMLb7A"
"client_secret":
"s5u3oYK0-A9CV6TkszPQThUa_qxMfr2yyd3-eJwQ ..."
"audience":
"https://auth-dev.pomelo.la"
"grant_type":
"client_credentials"
}
Response examples