# API Authentication and Authorization

# Introduction

Our REST APIs leverage the OAuth2 token-based authentication system to ensure secure and controlled access. For more in-depth information on OAuth 2.0, please see the specification here.

# Prerequisites

To establish an inbound connection to access Pagero REST APIs, you need valid client credentials issued by Pagero.

The OAuth 2.0 specification specifies several ways to obtain tokens. Please review the provided scenarios and follow the corresponding instructions.

# Scenario 1: Integrating an external system/application which requires the user authentication

In this scenario, the external integration system/application will make API calls to the PageroOnline system on behalf of its users. Each user must have an individual active PageroOnline account, which can be either a Standard or Temporary type.

To access PageroOnline REST APIs, one of the following flows should be used.

Authorization code grant flow with proof key for code exchange

authorization-code-grant-pkce/

Authorization code grant flow without proof key for code exchange

authorization-code-grant/

# Scenario 2: Integrating a trusted application which does not require the user authentication

Resource owner password credentials grant is suitable when the client is a regular Pagero Online customer who only wants to access the Pagero Online REST API for their own purposes.

Resource owner password credentials flow

resource-owner-password-credentials-grant/

# Using a refresh token to obtain an access token

A refresh token allows the client to obtain a new access token after the current one expires, enabling continuous access to the API without re-authentication.

Using a refresh token to obtain an access token

using-refresh-token/

# Token revocation

The process of token revocation involves invalidating or revoking tokens that were previously issued to clients.

Token revocation

token-revoke/