This section explains how to authenticate to the API.
The GPS Cards API uses OAuth 2 for authentication between GPS and Clients. This means that to perform an action on the Cards API, you need to supply a valid OAuth Token in the header of each API request. For more information about the headers in the GPS Cards API, see Headers.
GPS uses the Client Credentials OAuth flow to generate a valid OAuth token. For more information about granting OAuth Client Credentials, see the OAuth.net website.
The following OAuth terms are used in this section:
- User — this is the resource owner (in this case GPS) who authorise an application to access their account. Access is limited to the scope of the authorisation granted.
- Client — this is the application requesting access to the user’s account. The application must be authorised by the user, and the authorisation must be validated by the API.
- Resource/Authorisation Server — this is the API. The Resource server hosts the user’s accounts. The Authorisation server verifies the identity of the users and grants access tokens to the application.
To interface and authenticate with the GPS Cards API, both a ClientId and ClientSecret are required.
To obtain these, you must register with GPS. Please contact your GPS Implementation Manager.
When registered, you will receive your Program Manager ID and user credentials.
Next, you use these credentials to generate an access token using our Retrieve access token endpoint.
After receiving a valid OAuth2 token, use this in the Authorisation header on all subsequent API requests.
See the Retrieve access token endpoint.
The Client Credentials flow does not allow a user to refresh an OAuth Token. If your token expires, you will need to generate a new OAuth Token.