# Getting Access

A **Client ID** and **Client Secret** is required to access these APIs. To request access please reach out to: [data.services@servictoria.com.au](mailto:data.services@servictoria.com.au)

A different set of credentials will be provided for the Test and Production environments.

## Overview

This API supports the OAuth 2.0 client credentials flow for authentication, which has the following high level steps:

1. Use Client ID and Client Secret to get an access token from token endpoint.
2. Call API with access token included in the authorization header.


## Using credentials to get an access token

#### Test Environment

To get a token for the Test environment use:

- Token endpoint: [https://stg.auth.servictoria.com.au/oauth/token](https://stg.auth.servictoria.com.au/oauth/token)
- Audience: [https://test.api.servictoria.io/vicland/ddp](https://test.api.servictoria.io/vicland/ddp)


Example:


```
curl --request POST \
  --url 'https://stg.auth.servictoria.com.au/oauth/token' \
  --header 'content-type: application/x-www-form-urlencoded' \
  --data grant_type=client_credentials \
  --data client_id=YOUR_CLIENT_ID \
  --data client_secret=YOUR_CLIENT_SECRET \
  --data audience='https://test.api.servictoria.io/vicland/ddp'
```

#### Production Environment

To get a token for the Production environment use:

- Token endpoint: [https://auth.servictoria.com.au/oauth/token](https://auth.servictoria.com.au/oauth/token)
- Audience: [https://api.servictoria.io/vicland/ddp](https://api.servictoria.io/vicland/ddp)


Example:


```
curl --request POST \
  --url 'https://auth.servictoria.com.au/oauth/token' \
  --header 'content-type: application/x-www-form-urlencoded' \
  --data grant_type=client_credentials \
  --data client_id=YOUR_CLIENT_ID \
  --data client_secret=YOUR_CLIENT_SECRET \
  --data audience='https://api.servictoria.io/vicland/ddp'
```

#### Response

On successfully sending the request, you’ll get back a response that includes an access_token. Example:


```
{
  "access_token": "example-308ryntpiwepfnr-jw3-rj3rh34h0trh834thnf3wrh3df-truncated",
  "scope": "obj1:read obj2:read obj2:write",
  "expires_in": 3600,
  "token_type": "Bearer"
}
```

Once obtained an access token can be cached and reused until it expires. The expiry time can be calculated by taking a timestamp prior to requesting the access token and adding `expires_in` seconds.

## Call API using access token

To call this API include the access token in the 'authorization' header with the prefix: 'Bearer '. Example:


```
curl --request GET \
  --url https://test.api.servictoria.io/example \
  --header 'authorization: Bearer ACCESS_TOKEN'
```

## More information

For more information see:

- [https://auth0.com/docs/get-started/authentication-and-authorization-flow/client-credentials-flow](https://auth0.com/docs/get-started/authentication-and-authorization-flow/client-credentials-flow)
- [https://auth0.com/docs/get-started/authentication-and-authorization-flow/client-credentials-flow/call-your-api-using-the-client-credentials-flow#steps](https://auth0.com/docs/get-started/authentication-and-authorization-flow/client-credentials-flow/call-your-api-using-the-client-credentials-flow#steps)