Authentication

Before you can begin using the EAC GraphQL API, you need to authenticate. This step is essential to ensure a secure and seamless integration. All environments require you to authenticate with CIAM using a standard OAuth2 flow.

In this section we will explain how to authenticate your requests.

The first step to use the EAC GraphQL API is to register your application. Once done, you will receive a client id and client secret. The client id is the identifier of your application and the client secret is its password so make sure to keep it safe.

Follow the instructions from the Environments section to register your application for the desired environment. Your client id/secret will be different for each environment.

The EAC GraphQL API follows the widely adopted OAuth 2 framework for authentication. This flow allows you to obtain access tokens, granting your application the ability to authenticate and authorize API requests.

For a system-to-system integration, use the OAuth 2 client credentials flow to acquire an access token from CIAM. Send a POST request to the token endpoint of CIAM. The URL can be found in the Environment section, open the OpenID configuration URL and get the token_endpoint field. Use the scope eac-api . Your client id and secret must be provided in the body (not as basic authorization header).

Once you have an access token, use it in the Authorization header of your requests to EAC.

No authentication process is without its challenges. We'll address common error scenarios and provide guidance on how to handle authentication errors gracefully. By understanding potential issues and implementing proper error handling mechanisms, you'll be well-equipped to troubleshoot authentication-related problems effectively.

Here are some potential issues you might face:

1. CIAM has two environments, a production and a non-production one. Make sure to use the correct environment.
2. Make sure to pass your client id/secret in the body of the request and not using a Basic Authorization header. This will be rejected by CIAM for security reasons.

Here are some potential issues you might face:

1. Make sure your access token is not expired. Tokens are only valid for a short amount of time. The token is a JWT, the expiration time is available inside the token, use a base64 decoder to access it.
2. Make sure you are using the correct client id/secret. Those credentials are different for each environment.