The server responsible for issuing access tokens to the client after successfully authenticating and authorizing the client. The Authorization server is sometimes also responsible for user authentication
Possible ways a client can obtain an Access Token based on the type of application.
|Regular Web App: Traditional web application that performs most of its application logic on the server (e.g., Express.js, ASP.NET).||Explicit Authorization Code|
|Native App: Mobile or Desktop app that runs natively in a device (e.g., iOS, Android).||Explicit Authorization Code + PKCE|
|Machine-to-Machine (M2M) App: Non-interactive application, such as command-line tools, daemons, IoT devices, or services running on your back-end. Typically, you use this option if you have a service that requires access to an API.||Client Credential Grant|
The 80 character public portion of the WSKey.
A string which represents the functionality which the client is requesting authorization to use.
The unique string which represents the fact a user has successfully authenticated and the application has been granted the right to access one or more scopes for a particular institution. Authorization Codes are exchanged by clients to obtain Access Tokens.
A credential that can be used by an application to access an API. Access Tokens can be either an opaque string or a JSON Web Token (JWT) .
An access token which is returned with only SOME of the scopes the client application requested.
A simple authentication scheme used to protect HTTP requests. Requests contain the Authorization header with the key and secret joined by a colon and base64 encoded.
A longer lived token which a client can request and allows an application to obtain a new access token without prompting the user
Applications can programmatically revoke the access a user has given to it. Revocation is important when a user unsubscribes, removes an application or "logs out".