Authentication/Authorization
OAuth 2.0
All APIs on SCB's Open API Platform are secured with OAuth 2.0 security standards. Depending on the category of APIs, either 2-Legged (Client Credentials) or 3-Legged (Authorization Code Grant) OAuth secures these APIs. The OAuth 2.0 standard authenticates the user, followed by the user authorizing the API call.
Client Credentials Grant Type
This grant type is typically used when an authorized server to server call is made outside the context of a user. It is hence typically used to access resources to/for themselves rather than to access a user's resources.
| Seq No. | API Name | API Endpoints |
|---|---|---|
| 1 | Generate Access Token | POST /v1/oauth/token |
Authorization Code Grant Type
The Authorization Code grant type is used by confidential and public clients to exchange an authorization code for an access token. After the user returns to the client via the redirect URL, the application will get the authorization code from the URL and use it to request an access token.
Note: The authorization code expires shortly after it is issued to mitigate the risk of leaks. An authorization code lifetime is 1 minute and after request an access token. Access token is only valid for 30 minutes and refresh token is valid for 60 minutes.
| Seq No. | API Name | API Endpoint |
|---|---|---|
| 2 | Authorize Third-Party Application to Login with SCB EASY | GET /v2/oauth/authorize |
| 10 | Generate Access Token | POST /v1/oauth/token |
| 14 | Refresh Access Token | POST /v1/oauth/token/refresh |
Token Generator
In order to get an access token, developers are required to authenticate and authorize resource sharing with the SCB EASY app. The Token Generator allows developers to bypass the authorization step for easy testing of the APIs.
How to Use
- Choose an application.
- Choose a grant type. If 3-Legged OAuth is selected, you have to choose a profile type (Citizen ID, Passport No. or Alien ID) and a test customer profile. When calling APIs related to a user, the data of the selected test customer profile will be returned.
- By clicking the "Generate" button, the generator will provide these values.
- accessToken to call the APIs.
- refreshToken to call /v1/oauth/token/refresh.
- resourceOwnerId to be used in the request header when getting a test customer profile
