Authentication

T-Gate uses the OAuth2 protocol to ensure secure and reliable authentication.

Obtaining an Access Token

This API is responsible for acquiring an access token using two different methods, each with its own body parameters and serving different needs:

Obtaining an Access Token Using Authorization Code
- This method is used to obtain an access token for the first time using an authorization code. The authorization code is received after the user authorizes your application via T-Gate’s platform. This access token will allow your application to authenticate API requests to T-Gate.
- To learn about all the steps needed to get an authorization code, please refer to Access Grant Flow Guides.
Obtaining an Access Token Using Refresh Token
- This method allows partners to obtain a new access token using a refresh token without requiring user re-authentication. This is useful when the initial access token has expired and needs renewal to continue making authenticated API requests to T-Gate.

Main Attributes

Attribute	Description	In
client_id	This is a public identifier for your application. It's used to identify your application to the T-Gate authentication server.	Headers: T-Gate uses Basic auth for this attribute so it should be sent in theusername* field of the basic auth header.
client_secret	This is a secret known only to your application and the T-Gate authentication server.	Headers: T-Gate uses Basic auth for this attribute so it should be sent in thepassword* field of the basic auth header.
code	The code attribute is a temporary authorization code that you will receive after the user authorizes your application. This code is used to request an access token.	Body_: this attribute should be sent in body if you are requesting an access token for the first time. Note that this code expires after 10 minutes.
refresh_token	This is a long-lived token used to obtain a new access token without requiring user re-authentication.	Body_: This attribute should be sent in body if you are requesting to renew your access token using the refresh token.
grant_type	Used to specify the way by which you want to obtain an access token (Using a code for the first time or using a refresh token)	Body*: this attribute can take only one of 2 values: `'authorization_code'`: if you are requesting an access token using a code for the first time. `'refresh_token'`: if you are requesting a new access token using a refresh token.
redirect_uri	Informs T-Gate where to redirect the user after completing the access grant flow.	Body:*This attribute should be sent in body and should match the same value set by your T-Gate's application account.

Your Client ID and Client Secret are unique credentials for your application that can be generated from your T-Gate's application account.

❗️
Keep your application secure
The client_secret and access_token should never be shared with anyone. Keep them secure to protect your application and data.

Code Attribute

When completing the integration flow with a company, you will receive a code attribute that allows you to request an access token for that company, head to Access Grant Flow Guides to learn more.

Access Token VS Refresh Token

Access Token: A short-lived token used to authenticate API requests. It expires after 2 hours.
Refresh Token: A long-lived token used to obtain a new access token without requiring user re-authentication.

Obtaining an Access Token Using Authorization Code

To obtain an access token using an authorization code:

Acquire a client_id, client_secret, and a code.
Use the following parameters in your request body: REQUEST_TOKEN_WITH_CODE.
Set your client_id and client_secret into the headers using Basic Auth.

📘
API Response
A successful response from this API will contain both a new access_token and a new refresh_token

Obtaining an Access Token Using Refresh Token

Access tokens have an expiry period, after which they are no longer valid. To avoid disruption in your service, you should use the refresh token to obtain a new access token.

To obtain a new access token using a refresh token:

Acquire a client_id, client_secret, and a refresh_token.
Use the following parameters in your request body: REQUEST_TOKEN_WITH_REFRESH_TOKEN.
Set your client_id and client_secret into the headers using Basic Auth.