Overview

The Partner API is protected via OAuth 2.0, using the Client Credentials flow.

As the API is designed for machine-to-machine communication between backends, clients are required to continuously retrieve and refresh access tokens.

Retrieving an Access Token

To retrieve an access token, the client_id and client_secret, which have been exchanged during the onboarding process, will be required. If you do not yet have a set of credentials, please reach out to your contact person.

To retrieve an access token, perform a POST request to the token endpoint of our authentication API:

curl --request POST \
  --url 'https://partner.free2move.com/auth/realms/partner/protocol/openid-connect/token' \
  --header 'content-type: application/x-www-form-urlencoded' \
  --data grant_type=client_credentials \
  --data client_id=YOUR_CLIENT_ID \
  --data client_secret=YOUR_CLIENT_SECRET \
  -s

On success, the following response will be returned, containing the requested access_token:

{
	"access_token": "ey...",
	"expires_in": 300,
	"refresh_expires_in": 0,
	"token_type": "Bearer",
	"not-before-policy": 0,
	"scope": "email profile"
}

🚧

Token Lifetime

Keep in mind that the retrieved token is only valid for a limited lifetime. The token lifetime can be evaluated via the expires_in attribute of the response. It is the responsibility of the client application to request a new token in time.

As specified in RFC 6749 no refresh_token will be issued. Simply request a new token via the client credentials flow.

Authenticating API Requests

This access_token can now be used to authenticate requests to the API:

curl --request GET \
  --url https://partner.free2move.com/api/rental/partner/vehicles \
  --header 'authorization: Bearer ACCESS_TOKEN' \
  --header 'Accept: application/json'