Our APIs use OAuth 2.0, the industry-standard protocol for authorization. This ensures your applications can access JAS data securely without ever needing to store or expose sensitive credentials like permanent usernames and passwords.

Instead of a password, your application will request a temporary access token. This token is a unique, short-lived key (valid for 10 minutes) that you must send in the header of every API call. This guide explains the simple, two-step process to get and use these tokens.

The Authentication Workflow

The process is straightforward and designed for machine-to-machine (M2M) communication.

• Prerequisites: Register your application in the MyAccount section of the My JAS Connect Portal to receive a client_id and client_secret.
• Request Token: Send your credentials to our secure token endpoint.
• Receive Token: Our server validates and returns a short-lived access_token.
• Access APIs: Use the access_token for secure API calls. When it expires, repeat Step 2.

1. Prerequisites: Register Your Application

1. Log in to the My JAS Connect Portal with your username and password.
2. Navigate to the MyAccount tab.
3. Create or register your application to obtain:
   • client_id (Your application's "Key")
   • client_secret (Your application's "Secret")

Note: When you subscribe to any JAS Business API, you automatically gain access to the JAS Access Token API.

2. Request an Access Token

To obtain your 10-minute access token, make a POST request to our token endpoint.

• Method: POST
• Endpoint: https://<<URL_PROVIDED_IN_THE_PORTAL>>/oauth2/token
• Headers: Content-Type: application/x-www-form-urlencoded

• Body parameters	Values
  grant_type	client_credentials
  client_id	<YOUR_CLIENT_ID>
  client_secret	<YOUR_CLIENT_SECRET>

Example Response (200 OK)

{
  "access_token": "eyJraWQiOiJzaWduZXI...[rest_of_token]...U-o4A",
  "token_type": "Bearer",
  "expires_in": 600
}

access_token: The token you will use for API calls.
expires_in: The lifespan of the token in seconds (600 seconds = 10 minutes).

Best Practices & Troubleshooting

Best Practices

• Treat Tokens Like Passwords: Never expose tokens in URLs, client-side code, or logs.
• Automate Token Renewal: Refresh tokens automatically before expiration or after a 401 error.

Common Errors

• 401 Unauthorized: Token missing, invalid, or expired — re-request a token.
• 403 Forbidden: Invalid credentials or missing API subscription.
• 400 Bad Request: Usually due to missing Content-Type header.

FAQ

1. Why is OAuth 2.0 required?
   OAuth 2.0 allows secure access to JAS APIs without storing permanent usernames or passwords.
2. What is the impact of token expiration?
   Once expired, API calls fail with 401 Unauthorized until a new token is issued.
3. How can I prevent downtime from token expiration?
   Proactively renew tokens every 9–10 minutes or handle 401 errors automatically.
4. Can I automate token renewal?
   Yes — the client_credentials flow is designed for automation in M2M apps.