curl --location '
--header 'Authorization: Basic \*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'scope=urn:uae:digitalid:backend\_api:manage\_user\_consent openid ' \
--data-urlencode 'grant\_type=client\_credentials'
| | Method | POST | | Security | (CCG) Client Credentails Grant | | Headers |Authorization: {Basic with client credentials} – base64(clientid:client\_secret) – to be obtained from UAEPASS operations team.
Content-Type: {Standard form url encoded type for token}
| #### Request Payload ``` curl --location 'https://stg-ids.uaepass.ae/oauth2/token' \ --header 'Authorization: Basic *********************' \ --header 'Content-Type: application/x-www-form-urlencoded' \ --data-urlencode 'scope=urn:uae:digitalid:backend_api:manage_user_consent openid ' \ --data-urlencode 'grant_type=client_credentials' ``` #### Response Payload | Sample success response |{
"access\_token": "4d6861ed-aa8d-31e3-acff-df3413ee68bf",
"scope": "openid urn:uae:digitalid:backend\_api:manage\_user\_consent",
"id\_token": "eyJ4NXQiOi…”
"token\_type": "Bearer",
"expires\_in": 3600
}
| | ----------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | #### Values of X-UP-AccessToken & Authorization headers The value of access\_token from the above response should be used for the header ‘X-UP-AccessToken’. Similarly, the value of id\_token should be used to populate the value of the header ‘Authorization’. ### API Authentication – UAEPASS to SP Callback API invoked by UAEPASS to notify SP about a consent decision made by user is protected by API Key. A value for this API key must be agreed upon and shared with UAEPASS via secured channel. This will be populated in the value of the header X-API-Key {% hint style="info" %} In addition to the X-API-KEY, we can also send an authorization header with basic credentials, depending on the service provider’s configuration in UAEPASS and it is optional based on service requirement. {% endhint %} #### API nonrepudiation – HMAC To guarantee that request body of the API(s) have not been modified inflight, and that the origin of the API invocations is legitimate. HMAC (HmacSHA256) has been used. Fields included in creating the HMAC tokens. 1. API request body 2. Value of Request header: X-Timestamp Raw input to HMAC to generate HMAC token -> header\[X-Timestamp] + request body json. {% hint style="info" %} Kindly note that both SP & UAEPASS must agree on the above implementation to make HMAC verification possible on both ends. Once HMAC tokens are generated, they should be added as the value of the header ‘X-UAEPASS-Signature’. {% endhint %} --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.uaepass.ae/feature-guides/data-sharing-authorization/endpoints/api-security.md?ask=