# API authentication and authorization

# Introduction

Authentication and authorization for Pagero’s REST APIs is based on the OAuth 2.0 authorization framework.

The OAuth 2.0 specification can be found here.

OAuth 2.0 specifies several ways to obtain authorization. To access the Pagero Online REST API, one of the following two options should be used.

# Scenario 1: Client is an integrating system

In scenario 1, the client is an integrating 3rd party system which will make API calls to Pagero Online on behalf of their own users, who have individual Pagero Online accounts.

In this scenario, the OAuth authorization method to use is called "Authorization Code Grant".

Authorization code grant

authorization-code-grant/

# Scenario 2: Client is a regular Pagero Online customer

In scenario 2, the client is a regular Pagero Online customer who only wants to access the Pagero Online REST API for own purposes.

The OAuth authorization method to use in this scenario is called "Resource Owner Password Credentials Grant".

Resource owner password credentials grant

resource-owner-password-credentials-grant/

# Scenario 3 (Special case!): Create new signups as an authenticated client

This scenario is ony used in one single situation - when clients need to register new Pagero companies. In this case, clients may authenticate themselves as "clients" rather than a specific user.

The OAuth authorization method to use in this scenario is called "Client Credentials Grant".

Client credentials grant

client-credentials-grant/