Navigate back to Platform
Documentations

Getting an Access Token

Access token request

Suggest Edits

To access the Finlex API, you'll need an Access Token.

Finlex Cloud Platform uses JWT-based tokens for authentication and verifying requests. Access tokens can be issued for apps via auth service by using "app-id" and "secret-key". Due to the modular and granular Finlex Platform RBAC system, the access scope of tokens can be configured via app settings.

Generating Secret key

In order to request a new access token, the app id, and secret key must be provided. The secret key for each app can be generated from the app panel.

Secret keys can also be regenerated or deleted however, any active access token that is issued using deleted secret key gets invalidated

🚧

Keep your key secret

This key is a secret. To keep your integration secure, never store the secret key in your source code or commit it in version control. Instead, read the the secret key from an environment variable. Use a secret manager or deployment system to set the token in the environment.

Access token lifetime policy

In order to reduce risks, tokens get invalidated automatically at the expiry time. However, if it is necessary to have an extended lifetime, it can be requested during token request. Please note "allow token lifetime extension" option, on the app setting panel must be checked in order to allow this request

Default lifetime: 60

lifetime policyTTL
default60 min

Access Token request

In order to issue new access token Finlex Cloud Platform's auth endpoint has to be called

Endpoint
auth.finlex.io/token
curl --request POST \
  --url 'https://auth.finlex.io/token' \
  --header 'Content-Type: application/json' \
  --data '{
	"app_id":<your-app-id>,
	"secret":<secret-key>,
  "expiry": "2032-05-08T10:49:37.326809761Z"
}'
Property nameFormatValidation
app_idstringMandatory
secretstringMandatory
expiryISO 8601 date and time format YYYY-MM-DDTHH:MM:SS.ssssssZ (UTC)Optional

📘

In case of using token with unlimited lifetime, expirary time can be set by passing expiry within token issue request.

Authentication

Once the new token is issued, In your integration code, include the token in the Authorization header with every API request, as in the following example:

GET /v1/api/tender HTTP/1.1  
Authorization: Bearer {ACCESS_TOKEN}

Using URL Query Parameter instead of Header

Alternatively, the token can be passed via URL query param if setting the token within 'Authorization' header is not possible

curl http://api.finlex.io/v1/tender?token=<ACCESS_TOKEN>

Revoking access token

In order to invalidate the active token use the following request 

curl --request POST \
  --url https://auth.finlex.io/token-revoke \
  --header 'Authorization: Bearer {ACCESS_TOKEN}' \
}

Updated over 1 year ago