Authentication

Authentication#

We use OAuth2 for authentication and authorization. You can retrieve an API token using the client credentials flow. The OAuth2 endpoint is available at https://ridepooling-api.int.eu-central-1.moia-group.io/auth/oauth/token accessible exclusively via HTTP/2.

Retrieve the API token using the following request providing the credentials using the Authorization header. Replace $CLIENT_ID and $CLIENT_SECRET with the credentials provided.

curl \
--location "https://ridepooling-api.int.eu-central-1.moia-group.io/auth/oauth/token" \
--header "Content-Type: application/x-www-form-urlencoded" \
--user "$CLIENT_ID:$CLIENT_SECRET" \
--data-urlencode "grant_type=client_credentials"

Example output:

{
    "access_token": "eyJvcmciOiJkZWZhdWx0IiwiaWQiOiI2NzA1OGNiYTYxZjc0Kzc2OGQyMDk0NWJmNzI2ZmY2IiwiaCI6Im13bXVyMTI4In0=",
    "expires_in": 3600,
    "token_type": "bearer"
}

You will need your <ACCESS_TOKEN> for all subsequent requests. You can set the token as an environment variable for convenience. Replace <ACCESS_TOKEN> with the token value you received in the previous step.

export ACCESS_TOKEN=<ACCESS_TOKEN>

This token is authorized for all operations on the Ridepooling API. It provides read and write data access on all resources. Responses must be filtered by Integrators in order to apply more granular data access policies. To authorize write operations on behalf of a Customer we additionally require the correct Customer-Id in the request header. Operations for which this is required will be marked as a customer-scope endpoint in the API Reference.

The following table summarizes the request headers required for authorization:

Header

Type

Required

Description

Authorization

String

Yes

The OAuth 2.0 bearer token to authorize the request for accessing the Ridepooling API. For example: Bearer <Access token>.

Customer-Id

String

Only for customer-scope endpoints

The Customer ID on behalf of whom an operation is requested. For example: <Customer-ID>.