# Authentication ## User tokens API endpoints ### Create a new user and generate an associated access token `POST` `https://{domain}.biapi.pro/2.0/auth/init` This endpoint generates a new access token related to a new user. Request body: [#authtokeninitrequest-object](#authtokeninitrequest-object "mention") {% tabs %} {% tab title="200: OK Token issued" %} Response body: [#authtoken-object](#authtoken-object "mention") {% endtab %} {% endtabs %} ### Generate a temporary code `GET` `https://{domain}.biapi.pro/2.0/auth/token/code` This endpoint generates a new temporary code for the current user. This endpoint *requires* header authentication with a valid user access token. In case the access token is already used by a trusted device, and you want to temporarily let another one (for example a web browser) access user resources, use this endpoint to generate a code that will expire in 30 minutes. If the generated code is intended to be used with our [webview](/api-reference/overview/webview.md), you can use the `singleAccess` token type. #### Query Parameters | Name | Type | Description | | ---- | ------ | --------------------------- | | type | String | Type of the temporary code. | {% tabs %} {% tab title="200: OK Code issued" %} Response body: [#authcode-object](#authcode-object "mention") {% endtab %} {% endtabs %} ### Exchange a temporary code for a permanent user access token `POST` `https://{domain}.biapi.pro/2.0/auth/token/access` This endpoint uses a temporary code to generate a permanent user access token. Request body: [#authtokenexchangerequest-object](#authtokenexchangerequest-object "mention") {% tabs %} {% tab title="200: OK Token issued" %} Response body: [#authtokenexchange-object](#authtokenexchange-object "mention") {% endtab %} {% endtabs %} ### Revoke an access token `DELETE` `https://{domain}.biapi.pro/2.0/auth/token` This endpoint invalidates *permanent* access tokens. Subsequent calls using the provided *permanent* access token will fail. The invalidated token is the one that is provided in the header for authentication. {% tabs %} {% tab title="204: No Content Token revoked" %} {% endtab %} {% endtabs %} ### Generate a new token for an existing user `POST` `https://{domain}.biapi.pro/2.0/auth/renew` This endpoint generates a new permanent access token for an existing user, and revokes former tokens if explicitly requested. Request body: [#authrenewrequest-object](#authrenewrequest-object "mention") {% tabs %} {% tab title="200: OK Token issued" %} Response body: [#authtokenexchange-object](#authtokenexchange-object "mention") {% endtab %} {% endtabs %} ## Service tokens API endpoints ### Generate a service token `POST` `https://{domain}.biapi.pro/2.0/auth/token` This endpoint generates a special access token with a dedicated service `scope`. The generated token will expire after 30 minutes. A service token is a token that is not associated with a user but rather used to access a specific feature or service. For example, the Pay product requires the use of a `payment` token. Request body: [#authservicetokenrequest-object](#authservicetokenrequest-object "mention") {% tabs %} {% tab title="200: OK Token issued" %} Response body: [#authservicetoken-object](#authservicetoken-object "mention") {% endtab %} {% endtabs %} ## Data model ### *AuthTokenInitRequest* object

Property	Type	Required	Description
`client_id`	String	No	The ID of the calling client application.
`client_secret`	String	No	The client secret associated with the client ID.

If your client application credentials (`client_id` and `client_secret`) are both supplied, the generated token will be *permanent*. Otherwise, the token will expire in 30 minutes. By default, the created user is temporary and will be deleted after 30 minutes if no *permanent* token is generated during this timeframe. ### ***AuthToken***** object**

Property	Type	Description
`auth_token`	String	An access token to use for subsequent API calls.
`type`	String	The type of the token, `temporary` or `permanent` .
`id_user`	Integer	ID of the created user.
`expires_in`	Integer or null	The optional expiration delay of the token, in seconds.

### *AuthTokenType* value

Value	Description
`singleAccess`	The code can only be used once.
`requestAccess`	The code expires after 30 min.

### *AuthCode* object

Property	Type	Description
`code`	String	The generated temporary code.
`type`	String	The type of the generated code. The only value is `temporary`.
`access`	String	The type of access granted, `single` or `standard`.
`expires_in`	Integer or null	The expiration delay of the code, in seconds.

### *AuthTokenExchangeRequest* object

Name	Type	Required	Description
`grant_type`	String	No	The only accepted (and default) value is `authorization_code`.
`client_id`	String	Yes	The ID of the calling client application.
`client_secret`	String	Yes	The client secret associated with the client ID.
`code`	String	Yes	The temporary code that was delivered.

### *AuthTokenExchange* object

Property	Type	Description
`access_token`	String	The generated permanent user access token.
`token_type`	String	The type of token. The only value is `Bearer`.

### *AuthServiceTokenRequest* object

Name	Type	Required	Description
`grant_type`	String	Yes	The only accepted value is `client_credentials`.
`client_id`	String	Yes	The ID of the calling client application.
`client_secret`	String	Yes	The client secret associated to the client ID.
`scope`	AuthScope string or array	Yes	The permission scopes to authorize for this token. It can be a simple string value, or an array for multiple scopes.

### *AuthScope* values

Product	Name	Description
Pay	`payments:admin`	Grants all rights on payments.
Pay	`payments:read-only`	Only GET requests are allowed on payments.
Pay	`payments:allow-sensitive`	Grants read access on sensitive information for payments.
Pay	`payments:validate`	Allows to execute payments.
Pay	`payments:cancel`	Allows to submit payment cancellation requests.
Pay	~~`payments`~~	(Deprecated). Alias for `payments:admin`.
Pay	`payment-links:admin`	Allows management of payment links.

### *AuthServiceToken* object

Property	Type	Description
`token`	String	The generated service token.
`scope`	String	The service token dedicated scope.

### *AuthRenewRequest* object

Name	Type	Required	Description
`grant_type`	String	Yes	The only accepted value is `client_credentials`.
`client_id`	String	Yes	The ID of the calling client application.
`client_secret`	String	Yes	The client secret associated with the client ID.
`id_user`	Integer	Yes	User for whom the token has to be generated. If not supplied, a user will be created.
`revoke_previous`	Boolean	No	If true, all other permanent tokens for the user will be deleted. The default is false.

--- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.powens.com/api-reference/overview/authentication.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.