post https://api-stage.onsched.com/v3/auth/token
Generate a bearer token to access the OnSched API
New Authentication Process!
Authentication has changed in version 3.0.0
We're now using a new header
x-client-idwhich will define the company that you are connecting to. This allows users to manage multiple companies more easily within a single Dashboard with the same login and refresh token.
Refresh Tokens
In version 1.0.0 you were required to obtain a new access token, which are short-lived (e.g., 15 minutes to 1 hour) and used to access protected resources, now your app can silently refresh the access token in the background.
- Store Securely: Should be stored in secure storage (e.g., the environment variables in your backend).
- Use for Backend Requests: Should be used in your backend only, as not to expose your Refresh Token on the front end request.
- Rotate Frequently: Modern implementations rotate refresh tokens with each use (Refresh Token Rotation), invalidating the previous one.
- Scope and Limit: Can be scoped for specific apps or roles, limiting damage if compromised.
- Revoke: Can be manually or automatically revoked by the server if suspicious activity is detected.
What to do with my token
Once you have obtained a current access_token from the response of POST /v3/auth/token it can be used for your authorization header in follow up requests.