How do grant types for APIs/Apps work?
The grant types that are available for an API can be selected from a list when you create an OAuth or an Access Token Validation interceptor.
They define how a token can be created for that API. For example, if you only set Authorization Code as the grant type, you will not be able to create a token by Client Credentials.
Suppose, however, that you have a token created with the Authorization Code grant type. Even if later on you decide to change the grant type from Authorization Code to Customer Credentials, the generated token will remain valid.
In short, keep in mind that:
The grant type is verified only when you create the token, not when you use it. Once created, the token remains valid until it expires or is revoked. Changing the grant type does not affect the token validity. |
Other examples:
-
Example 1: Your app is linked to only one API. You will only be able to generate tokens with the grant types allowed for that API.
-
Example 2: Your app is linked to two APIs: A and B. API A only allows token creation by Authorization Code and API B, only by Client Credentials. An application can generate tokens by both methods. If you successfully generate a token with Authorization Code, it can be used by both API A and API B.
-
Example 3: Your API has resources A and B. /resourceA only allows token creation by Authorization Code and /resourceB, only by Client Credentials. You will be able to generate tokens by both methods. If you successfully generate a token by Authorization Code, it can be used by either /resourceA or /resourceB.
Share your suggestions with us!
Click here and then [+ Submit idea]