BlackBerry AtHocAPI V2 uses OAuth2-compliant authentication and authorization. To call the API, the client must first obtain an access token. Each organization has one access token. You will need to request an access token for every individual organization that you are calling against. The authentication step returns an access token which will be used when it calls the APIs.
The access token is only useful if the user has an operator role required to access the specific API module. For example, the User Manager role is required for User Sync. For more information, see Required roles for API access.
The parameter acr_values should contain the organization code in a key value pair with the Key=tenant (for example, acr_values=tenant:<OrgCode>) where <OrgCode> is the organization code of the organization that you want to access the API for.
Scope should be a space-delimited string of the resources that you want to access. If you also need long-term access to the API, you can request a Refresh Token with the offline_access scope. For example, openid profile athoc.iws.web.api offline_access.
Depending on your application and security requirements, you can obtain an access token from any of the following supported grant types:
- Password Grant
- Authorization Code Grant
- Implicit Grant
- Change Org Grant
- Refresh Token Grant