To request the anonymous token, the client software sends the "Access Token Request" to the system. To do so, it sends the following information: grant_type, client_id and client_secret.
POST {RMUrl}/APIIntegration/Token HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: modulo.com
Content-Length: 119
Expect: 100-continue
Connection: Keep-Alive
client_id=6ed521279efd47b883bea4ddef9e617b&client_secret=8b108f4368b54a33a11ab0d95f6bf176&grant_type=client_credentials
Once the "Access Token Request" is received, the system validates the information. For example, it verifies the existence of the client_id and whether or not the client_secret is associated with the correct client_id.
If the system validates the information, it will respond to the client application with an "Access Token Response" with the following information: access_token, token_type, and expires_in. The system stores the access_token until its expiration date. The "Access Token Response" always includes the "HTTP Cache-Control" as "no-store".
HTTP/1.1 200 OK
Cache-Control: private, no-store
Content-Type: application/json; charset=utf-8
Content-Length: 117
{
"access_token": "A6D1DC6ADD5A75C967C5738E063CE8668AD2492B",
"token_type": "bearer",
"expires_in": 86400
}
The client software receives the access_token and stores it until its expiration date. In anonymous access, the token is valid for 24 hours (86400 seconds). Once expired, it should be discarded and cannot be reused. In anonymous access, multiple tokens can be requested for each authorized application.
If the system does not validate the information, it sends an "Authorization Response" to the client software with the following values: error, error_description, and error_uri. The error_description and the error_uri are optional. The HTTP error codes are 401 (if the client provided invalid credentials) or 400 (if there was some other error).
HTTP/1.1 400 Bad Request
Content-Type: application/json
Cache-Control: no-store
{
"error":"invalid_request"
}