Skip Navigation


In response to the authentication request, the client will receive a response that contains at least the access token. The access token will contain the scopes that will dictate what can or cannot be done. This token is signed by the server and the client will merely echo it on every request as it tries to access resources.
The access token represents the identity of the requester as well as some attributes like scopes. This token will have an expiration and should be sent on every request in the authorization request header. Failing to do so will result in an HTTP/1.1 401 unauthorized response. Should the token be provided and prove to be legitimate but the server finds the action the caller is trying to attempt is not allowed (found in the scopes granted), an HTTP/1.1 403 forbidden will be returned.