Authorization

KORE's APIs are secured using the OAuth2.0 Protocol, specifically Client Credentials Flow to obtain tokens to authorize you to access your resources.

To call any of KORE's APIs, you will need to exchange your Client Credentials, Client ID and Client Secret, for an Access Token. You can view your Client Credentials in your Client's Details.

How it Works

1. Send API Credentials

Your application sends the client credentials, Client ID and Client Secret, to KORE's authorization server.

KORE's auth endpoint is https://api.korewireless.com/api-services/v1/auth/token

Request
curl -X POST https://api.korewireless.com/api-services/v1/auth/token  \
  --header 'cache-control: no-cache'  \
  --header 'content-type: application/x-www-form-urlencoded'  \
  --data "grant_type=client_credentials" \
  --data "client_id=$KORE_CLIENT_ID" \
  --data "client_secret=$KORE_CLIENT_SECRET"

2. KORE validates the credentials

If the Client Credentials are not valid, you will receive an error.

Error: HTTP 401
{
    "error": "unauthorized_client",
    "error_description": "Invalid client or Invalid client credentials"
}

If the credentials are valid, KORE responds with an access token per RFC 6749.

The expires_in property is given in seconds.

{
   "access_token": "ACCESS_TOKEN",
   "expires_in": "EXPIRY_TIME",
   "token_type": "Bearer",
   "scope": "YOUR_SCOPE"
}

3. Make an API Call

When you call any REST API, include the access token (returned from step2. KORE validates the credentials) in the authorization header: --header Authorization: Bearer {access_token}.

When your access token expires, repeat the process, starting with Step 1.

Refer to our guide on Refreshing your API Access token for an example.

Client Credentials

When you create an API Client, the Client Secret is shown only once, after which you will not be able to retrieve the Client Secret.

The Client ID is always shown as this is how you uniquely identify your client.

Your client credentials are like your username and password and should be secured appropriately.

Access Token Expiry Times

When you create your API Client, you can pick an expiry time.

The options we support are

  • 1 hour

  • 1 day (24 hours)

  • 30 days

  • 24 months (2 years)

When you request an Access Token, given your Client Credentials, the Acces Token you will have an expiration time based on what you selected when creating your API Client. When your Access Token expires, you will be required to request a new access token.

If the Access Token expires, and your application attempts to make an API call, you will be presented with an error.

Error: HTTP 403
{
    "message": "User is not authorized to access this resource with an explicit deny",
    "error": "Invalid or expired token"
}

Access Token Scopes

Access Token Scope is a mechanism in OAuth2.0 that limits your application to only the products and resources you require.

Picking your scopes is done during client creation, which can be modified later.

Changing the scope of your API Client requires you to generate a new Access Token, as the Access Token you are currently using will have the old scopes.

When you receive your token from KORE, it will contain the scopes you identified when you created your API Client.

PreviousAPI ClientsNextAPI Responses

Last updated

Was this helpful?