OK - Authentication

The fulfillmenttools platform is secured by using an external Identity-Provider (Google Identity Toolkit) which issues JWT tokens in exchange for a valid username and password. This JWT token encodes (among other things) your username, your role and which facility you are assigned to in a secure way. Authorization against our API works by using such an issued JWT Token in every request as a HTTP-Header.

Authentication request

For authentication send a HTTP POST call to this API endpoint:

POST https://identitytoolkit.googleapis.com/v1/accounts:signInWithPassword?key={authKey}

{
    "email": "willy@wonkacandycompany.com",
    "password": "myPassword",
    "returnSecureToken": true
}

authKey, email and password have to be valid to your fulfillmenttools instance and are being given to you when the instance was created.

Authentication response

As a result, an answer looking similar to this is response:

{
  "kind": "identitytoolkit#VerifyPasswordResponse",
  "localId": "jdwBuqqYWdYoqWTH1Xv85EJJMpm2",
  "email": "willy@wonkacandycompany.com",
  "displayName": "Willy Wonka",
  "idToken": "eyJhbGciOiJSUzI1NiIsImtpZ...ynLgbiNgHJJxtBXSTSFnp2fA",
  "registered": true,
  "refreshToken": "AE0u-NeGDdHWPB0RjOYO...pRMKoncagBq30OFCJkEgpvyI",
  "expiresIn": "3600"
}

Two attributes in the above response are of special importance:

1. idToken is the actual JWT you need to send along every REST Call you issue against the fulfillmenttools API. It has an expiration period to it depicted by the attribute expiresIn. In this case it is valid for 3600 seconds which equals to 1 hour. After that you need to get a fresh token.

2. refreshToken should be used to get a fresh token without providing the credentials again.

Token refresh

To refresh a token, send a HTTP POST call to this API endpoint:

POST https://securetoken.googleapis.com/v1/token?grant_type=refresh_token&refresh_token={refreshToken}&key={authKey}