OAuth Service Accounts can now be used to talk to Arivo servers.

At the moment, these Service Accounts can only be created by Arivo employees.

This document describes their use.

# Generate a Bearer Token

To send a request to the Arivo servers, a Service Account requires a Bearer token.

A Bearer token must be requested beforehand.

The request for a Bearer token looks like this:

  • Staging/Development endpoint: https://garage.arivo.fun/hydra/oauth2/token (opens new window)
  • Production endpoint is not yet available
  • It is a POST request
  • The body is urlencoded and includes the following data (replace <...> with the matching value):
    • grant_type=client_credentials Fixed value
    • client_id=<Service Account ID> The ID of your Service Account
    • client_secret=<Service Account secret> The secret of your Service Accounts
    • scope=<list of required scopes> Scopes you need for your application. Usually only iam.sa
    • audience=<list of required audiences> Audiences you need for your application. Depends on requested APIs.
  • The response includes a Bearer token (access_token), how long the token is valid (expires_in), the requested scope (scope) and the token type (token_type) which should be bearer
  • The Bearer token will be used as Authorization header for all requests to Arivo servers.
  • Example using the curl command line tool (Service Account ID/Secret and access token are redacted):
    • Request:

      curl -X POST "https://garage.arivo.fun/hydra/oauth2/token" \
        -d "grant_type=client_credentials&client_id=***&client_secret=***&scope=iam.sa&audience=opa.acc.si"
    • Response:


# Sending a request with Bearer token

All requests to Arivo servers by Service Accounts need to be authenticated with a Bearer token. The token proves your identity and scope.

Example using the curl command line tool (Bearer token is redacted):

curl "https://garage.arivo.fun/api/example" -H "Authorization: Bearer ***"