A framework enabling secure access to Vodafone’s APIs via Access Tokens. It supports multiple grant types for flexibility in authentication and authorization. If the request is valid, the API returns an access_token. That can be used for multiple requests for its duration (59 minutes and 59 seconds). An invalid request returns an error message.
The Client Credentials Flow is the following:
- Client Credentials: The Client Application sends its Client Credentials to the Authorization Server.
- Validation: The Authorization Server validates the Client Credentials.
- Access Token Issuance: After successful validation, the Authorization Server sends back the Access Token to the Client Application without a Refresh Token.
- Resource Request: The Client Application sends an access request to the Resource Server along with the Access Token to access protected resources.
- Token Validation: The Resource Server validates the Access Token.
- Resource Delivery: After successful validation, the Resource Server returns the requested protected resources to the Client Application.
Requesting an Access Token
- Use the Client Key and Secret from your sandbox app to populate the related variables in the "Sandbox Credentials" environment group in Postman.
- Call the token endpoint to create a bearer token for the API resource endpoint. Your client credentials will be taken from the environment variables and used in a basic OAuth flow. Use the following parameters in the request. All parameters are required:
|
Parameter |
Description |
|---|---|
| --location --globoff | cURL options to ensure proper handling of redirects and URLs with special characters. |
| vf-trace-transaction-id | A unique identifier for tracing the transaction across systems for debugging or logging purposes. |
| Content-Type | Specifies the format of the request body. Typically set to application/x-www-form-urlencoded. |
| Authorization | Encoded credentials (Consumer Key and Consumer Secret) used to authenticate the client. |
|
grant_type |
Specifies the OAuth 2.0 grant type. For this flow, it is set to client_credentials. |
|
scope |
Specifies the level of access requested by the Client Application. |
You need to call the token end-point for each API as the API scope is held in the request body of the token call. The last bearer token and trace ID will be stored in collection variables associated with the API solution that you have chosen
Token Request Example
curl --location --globoff 'https://example.com/v1/token' \
--header 'vf-trace-transaction-id: [[Trace-transaction-id]]' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--header 'Authorization: [[Authorization-masked-secret]]' \
--data-urlencode 'grant_type=client_credentials' \
--data-urlencode 'scope=[[scope-type]]'Token Response Example
{
"token_type": "Bearer",
"access_token": "<<access-token-here>>",
"expires_in": 3597,
"scope": ""
}
The response shows how long the Access Token remains valid. If it expires, generate a new one by following the steps in the Requesting an Access Token flow again.
Access the Protected Resource
Use the access token in the Authorization header to request the API’s protected endpoints.
