Introduction

The Authentication API enables you to manage all aspects of user identity when you use Login 3.0. It offers endpoints so your users can log in, sign up, log out, access APIs, and more.

The API supports various identity protocols, like OpenID Connect and OAuth 2.0.

This API is designed for people who feel comfortable integrating with RESTful APIs.

Base URL

The Authentication API is served over HTTPS. All URLs referenced in the documentation have the following base: https://auth3.upbond.io

Authentication methods

You have five options for authenticating with this API:

• OAuth2 Access Token

• Client ID and Client Assertion (confidential applications)

• Client ID and Client Secret (confidential applications)

• Client ID (public applications)

OAuth2 Access Token

Send a valid Access Token in the Authorization header, using the Bearer authentication scheme.

Client ID and Client Secret

Send the Client ID and Client Secret. The method you can use to send this data is determined by the Token Endpoint Authentication Method configured for your application.

If you are using Post, you must send this data in the JSON body of your request.

If you are using Basic, you must send this data in the Authorization header, using the Basic authentication scheme. To generate your credential value, concatenate your Client ID and Client Secret, separated by a colon (:), and encode it in Base64.

Client ID

Send the Client ID. For public applications (applications that cannot hold credentials securely, such as SPAs or mobile apps), we offer some endpoints that can be accessed using only the Client ID.

Parameters

For GET requests, any parameters not specified as a segment in the path can be passed as an HTTP query string parameter:

GET <https://auth3.upbond.io/some-endpoint?param=value&param=value>

For POST requests, parameters not included in the URL should be encoded as JSON with a Content-Type of application/json:

curl --request POST --url '<https://auth3.upbond.io/some-endpoint>' --header 'content-type: application/json' --data '{"param": "value", "param": "value"}'

Code samples

For each endpoint, you will find sample snippets you can use, in three available formats:

• HTTP request

• Curl command

• JavaScript: depending on the endpoint each snippet may use Node.js code or simple JavaScript

Each request should be sent with a Content-Type of application/json.

Testing

Testing endpoints is typically done by sending requests directly through your development tools as Login 3.0 does not provide a dashboard for debugging.

Errors

When an error occurs, you will receive an error object. Most of these error objects contain an error code and an error description so that your applications can more efficiently identify the problem.

If you get a 4xx HTTP response code, then you can assume that there is a bad request from your end.

5xx errors suggest a problem on Login 3.0's end. If this occurs, you can report the issue to our support team.

Rate limiting

The Authentication API is subject to rate limiting. The limits differ per endpoint.

If you exceed the provided rate limit for a given endpoint, you will receive the 429 Too Many Requests response with the following message: Too many requests. Check the X-RateLimit-Limit, X-RateLimit-Remaining and X-RateLimit-Reset headers.