Skip to main content

Authentication

We implemented Oauth2 authentication on our endpoints

Overview

The Korint API expects a JWT (JSON Web Token) in the Authorization header of requests for authentication. Permissions are assigned according to each product's individual configurations. We provide a hosted Ui for our identity provider.

Authorization Code Flow

::: info Access tokens are valid for 1 hour

Refresh tokens are valid for 1 month :::

First time login

  1. User Login: The user clicks a "Login" button in the frontend application.

  2. Redirect to IDP: The frontend app redirects the user to our Identity Provider (IDP).

  3. Authorization Code: After successful login, the IDP redirects back to the frontend application with an authorization code included in the query parameters.

  4. Exchange Code for Token: Takes the authorization code and exchanges it for a JWT by calling the OAuth2 provider /oauth2/token endpoint with following body x-www-form-urlencoded: [ { "key": "grant_type", "value": "authorization_code" }, { "key": "redirect_uri", "value": "YOUR FRONT APP REDIRECTION URL" }, { "key": "code", "value": "AUTHORIZATION CODE from query params" }, { "key": "client_id", "value": "IDP CLIENT ID" } ]

  5. Token Issued: In response, a JWT and a refresh token are issued.

  6. Attach to Header: For subsequent API requests, pass the JWT in the Authorization header.

You have a valid refresh token

  1. User Login: The user has previously logged in and you still have a valid refresh token

  2. Refreshing token: Call the OAuth2 provider /oauth2/token endpoint with following body x-www-form-urlencoded: [ { "key": "grant_type", "value": "refresh_token" }, { "key": "refresh_token", "value": "VALID REFRESH TOKEN" }, { "key": "client_id", "value": "IDP CLIENT ID" } ]

  3. Token Issued: In response, a new and valid JWT token is issued.

  4. Attach to Header: For subsequent API requests, pass the JWT in the Authorization header.

Anonymous Requests

If a request lacks an Authorization header, the API will treat it as an anonymous request. Access may be restricted based on the resource in question, depending on the product.

Troubleshooting

  • 403 Forbidden: A JWT was provided but is either expired or failed to be validated by our IDP.If you want to perform anonymous request, do not send Authorization header implies that your token lacks the necessary permissions for the requested resource.
  • 403 with self explanatory missing and valid permissions lists: You are anonymous or provided a valid JWT, but you don't have enough permissions to perform the request

API limits

To improve the experience for our users, we impose some limits on API requests. These limits prevent a user from making too many expensive calls at once.

Throttling

The Korint API allows up to 300 requests per second. You’ll receive a 429 error if you reach the limit. Again we recommend that you batch your requests to avoid hitting this limit.

note

This is a soft limit and we can increase quotas on demand