The Passolution Dataservice API uses OAuth 2.0 protocol, an industry-standard for authentication & authorization of third-party applications (eg: your app) to gain delegated access to API resources (eg: Entry Requirements provided by Passolution) on a user's (Passolution) behalf.
Our API (api.passolution.eu) requires OAuth Access Token to be sent as Bearer Token in HTTP Authorization header, ie:
Authorization: Bearer <access-token>Our Authorization Server (web.passolution.eu) implements OAuth 2.0 specification to facilitate acquisition of User's Access Token by third party applications (eg: your app). It authenticates Passolution users and then allows users to authorize third party applications (ie: your app) to access Passolution API on their behalf for providing services to them that rely on Passolution data.
If you want to provide services to Passolution users, you will need to get your OAuth Client details as described here.
- Third-party applications are not required to handle or store user credentials, which can be a security risk.
- Third-party applications gain delegated access, i.e., access only to resources authorized by user.
- Users can revoke an application's access anytime.
- OAuth 2.0 access tokens expire after a set period of time which reduces risk, eg: when old access tokens are leaked in a security breach. If an application faces a security breach, all its access tokens can be disabled at once (preventing unauthorized access) without affecting user's or other application's access.
