Acquire service account token
To acquire a new API token with OAuth 2.0, you need four pieces of information from the Tango portal—the client ID, client secret, service account username, and service account password. With the above information, use thePOST {URI}/oauth/token endpoint to acquire a new token. To get the client ID, client secret, username, and password, refer to Use OAuth for secure connection.
Note:
- A token can either have a Time-to-Live (TTL) of either 24 hours (86,400 seconds) or 5 mins (300 seconds), and is determined by the
audienceyou select at the time of token creation.- An access token can only be used for the TTL period once created. Create a new token at least once every TTL period to authenticate calls. New tokens can be generated using the same client credentials and service accounts, or the updated credentials.
Endpoint
Use the following endpoint to request a new OAuth token:
| Endpoint | Description |
|---|---|
POST {URI}/oauth/token | To acquire a new OAuth token. |
Parameters
The following parameters are used when requesting an OAuth token from Tango. This token is required before calling any protected Tango APIs:
| Form Data | Data type | Requirement | Description |
|---|---|---|---|
| client_id | string | required | The client_id is a variable referring to the Client ID field value generated in the Tango portal under OAuth client credentials. |
| client_secret | string | required | The client_secret is a variable referring to the Client Secret field value generated in the Tango portal under OAuth client credentials. |
| username | string | required | The Service Account username created in the Tango portal under OAuth Service Accounts. |
| password | string | required | The Service Account password created in the Tango portal under OAuth Service Accounts. |
| scope | string | required | List of space-separated OAuth scopes, static, the value is always raas.all. |
| audience | string | required | Audience determines token TTL:
|
| grant_type | string | required | grant_type is currently password for this integration flow. This corresponds to the OAuth 2.0 Resource Owner Password Credentials (ROPC) grant used by this API. |
Headers provide metadata about an HTTP request, telling the server how to parse the incoming data and what format to use when returning the response. The following headers are used in your request:
| Headers | Requirement | Data type |
|---|---|---|
| Content-type | optional | string |
| Accept | optional | string |
Examples
These examples use the sandbox endpoint. For production, use the production auth endpoint configured for your platform. Confirm endpoint hostnames in the API testing/reference documentation before go-live.
Here's an example of the above parameters in the code to create a 24-hour token:
curl --request POST \
--url https://sandbox-auth.tangocard.com/oauth/token \
--header ‘Accept: application/json’ \
--header ‘Content-Type: application/x-www-form-urlencoded’ \
--data client_id= string \
--data client_secret=string\
--data username=string \
--data 'password=string' \
--data scope=raas.all \
--data audience=https://api.tangocard.com/ \
--data grant_type=passwordHere's an example of the returned payload:
{
"access_token": "<string>",
"scope": "<string>",
"expires_in": "<integer>",
"token_type": "Bearer"
}
Using DPoP with this endpoint (optional)
Using DPoP with this endpoint (optional)
This endpoint also supports DPoP for enhance security. If your platform has DPoP enabled, include a DPoP HTTP header in your token request containing a DPoP Proof JWT. All existing form parameters remain the same; only the DPoP header is added.
| Additional Header | Requirement | Description |
|---|---|---|
DPoP | Required when using DPoP | A signed DPoP Proof JWT with htm=POST and htu set to the token endpoint URI. See "Use OAuth with DPoP for maximum security" for instructions on how to construct a proof. |
Here's an example of DPoP token request:
curl --request POST \
--url https://sandbox-auth.tangocard.com/oauth/token \
--header 'Accept: application/json' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--header 'DPoP: <dpop_proof_jwt>' \
--data client_id=string \
--data client_secret=string \
--data username=string \
--data 'password=string' \
--data scope=raas.all \
--data audience=https://api.tangocard.com/ \
--data grant_type=passwordHere's the DPoP token response:
{
"access_token": "<string>",
"scope": "raas.all",
"expires_in": 86400,
"token_type": "DPoP"
}When DPoP is active, token_type is DPoP rather than Bearer. Use Authorization: DPoP
Response codes
The response message for this endpoint is. For details, see i18nkey codes and their error messages:
- 200 OK
- 400 Bad Request
- 401 Unauthorized
