Authentication

Ensure no spooky stuff happens

To interact with the Prio API, you must authenticate using OAuth 2.0. Upon onboarding, you will receive a client_id and client_secret, which you will use to obtain an access token.

Getting an Access Token

Use the client_credentials grant type to request an access token. Once obtained, the token must be included in the Authorization HTTP header for all subsequent API requests:

Authorization: <token_type> <access_token>

If the Authorization header is missing or the token is invalid, the request will be rejected with an appropriate error message. A 400 Bad Request or 403 Forbidden response will be returned depending on the scenario.

Important: Access tokens have an expiration time. Once expired, a new token must be requested. Multiple tokens can be active at the same time. To minimize unnecessary traffic and latency, only request a new token when the current one has expired.

We strongly recommend using a reputable OAuth 2.0 library for your programming language to handle token management and HTTP header injection automatically. Avoid implementing this logic manually.

Security Guidelines

HTTPS Required: All API requests must be made over HTTPS. Requests over plain HTTP will be rejected.
Authentication Required: All API requests must include a valid access token. Requests without authentication will fail.
Token Revocation: If a token is deactivated or otherwise invalidated, the API will return a 403 Forbidden response.
Key Management: Your API credentials (client_id and client_secret) must be kept confidential. You are fully responsible for all activity conducted using your credentials.
Compromised Keys: If you suspect your credentials have been exposed or misused, immediately contact us to revoke access and regenerate credentials.

PreviousTechnical Concepts NextIdempotency

Last updated 2 months ago

Was this helpful?