Access to the API is controlled using temporary JSON Web Tokens (JWT).
Before using the API, you will be issued with two pieces of information, a Client ID and a Client Secret. These are used to obtain tokens.
Request an access token as per the example below.
Authentication URL: https://uswitchpartners.eu.auth0.com/oauth/token
Set audience as follows:
Using your Client ID and Client Secret in place of CLIENT_ID and CLIENT_SECRET below, make a request to obtain a fresh token.
curl -X POST https://uswitchpartners.eu.auth0.com/oauth/token
-H "Content-Type: application/json"
-d '{ "grant_type": "client_credentials",
"audience":"https://staging-api.partners.uswitch.com/energy",
"client_id": CLIENT_ID,
"client_secret": CLIENT_SECRET
}'
This will return JSON containing the token.
{
"access_token": "U29tZSBiYXNlIDY0IGVuY29kZWQgc3R1ZmY=...",
"expires_in": 86400,
"scope": "partner:partner-name",
"token_type": "Bearer"
}
The access token retrieved in the previous step is added to all
requests to the API in the headers. Specifically it goes in the
Authorization
header, as a Bearer token. In the URL, you
should replace ENDPOINT with the specific name of the endpoint you are
using.
curl https://api.partners.uswitch.com/ENDPOINT \
-H "Accept: application/json" \
-H "Content-Type: application/json" \
-H "Authorization: Bearer eW91ciBrZXkgaGVyZQ==..."
Tokens will need to be refreshed on a regular basis. The exact time may vary, but they will generally be valid for several hours. It is recommended to keep track of the token’s time-to-live within your application. If you attempt to access the API with an expired token, it will return the 401 HTTP status code.
The token contains your identity and a request for access to the API. You can see the token contents by decoding it (for example, by using the site https://jwt.io). It is signed by the authorisation service using the RS256 cryptographic algorithm, and this will verified by our API to check it is valid and has not been altered. This ensures that the tokens cannot be faked, and no other parties can gain access to your customers’ information.
As the API uses HTTPS, the token will encrypted during transfer to the API.
They are alpha-numeric keys that we will generate for you during onboarding. You will need to keep track of these in order to request access tokens. Take care not to lose your Client Secret, or expose it publicly. It should not be checked into version control. If it is lost, please inform us so that we can invalidate it immediately and a new secret issued.