Skip to main content
Version: 5.1


The Envizage API is secured using the OpenID Connect protocol. OpenID Connect is an authentication protocol that is built on top of OAuth 2.0, which is an authorization protocol. The OAuth 2.0 protocol provides API security via scoped access tokens, and OpenID Connect provides user authentication and single sign-on (SSO) functionality. OpenID Connect defines several different flows for authentication and authorization. The three flows that Envizage is using are the Authorization Code Flow, the Resource Owner Password Flow and the Client Credentials Flow.

The Authorization Code Flow can be used in client-side (front-end) applications to authenticate a user. This flow involves the following steps:

  1. The user clicks on a button that redirects the browser to the OpenID authorization request endpoint.
  2. The user is redirected to the OpenID provider.
  3. The user authenticates with the OpenID provider entering their credentials or using an external OpenID Connect provider (e.g. Google, Facebook, Twitter etc.). The user can also register and create a new user account in that step.
  4. The OpenID provider redirects the user back to the app website. The redirect response includes an authorization code as a URL query parameter that the web application can use to obtain an access token.
  5. The web application sends a request to the token endpoint setting the `grant_type` parameter to `code` to exchange the authorization code for an access token and, optionally, an id token.
  6. The user is now authenticated and can access the Envizage API using the user access token.

The Resource Owner Password Flow (ROPC) can be used when redirects are not available, which is the case for backend applications that need to access the Envizage API. In that flow, the application authenticates a user using the token endpoint. The request sets the `grant_type` parameter to `password` and includes the client id and client Secret obtained from the Envizage Developer Console as well as the user credentials (username/password). After that, the application receives an access token that can be used to access the Envizage API on behalf of the user.

The Client Credentials Flow is used when a system authenticates and authorizes the app rather than a user. Consequently this flow is used by back-end apps created from the Envizage Developer Console. Backend applications use the client id and client secret obtained from the Envizage Developer Console to authenticate themselves and get an access token. In this flow, the application receives an access token from the token endpoint. The request includes the client id and client secret and the authorization server responds with an access token that the application can then use to call the API on behalf of itself and, optionally, an id token. The request `grant_type` parameter is set to `client_credentials`. The application can use the access token to manage users.


Security Scheme Type:openIdConnect
OpenID Connect URL: