The OAUTH2 Shared Component features a JWT-based backend API to allow any software entity entitled with a valid long-term token to access/refresh the corresponding Application Framework access_token

The following is an example of a long term token.

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJleHAiOjE4NTU3NTE1NjEsInN1YiI6IjUxMzgwMzcwMzMxMDE4NTAwNjEiLCJqdGkiOjE0LCJpc3MiOiJhcGkifQ==.G0CAZvGRqutoz7by7KjImge6/XHTNefUloeXRaO7U/w=

It is a string composed by three BASE64 encoded segments.

• The JWT header
• The JWT claim
• a HMAC signature of the payload

Inside the claim it is provided the instance_id this specific long term token is bound to.

The token must be provided in any GET request to the OAUTH2 Shared Component backend API inside the Authorization HTTP header using the following schema:

Authorization: Bearer <token>

The available entry points to the backend API are:

• GET: /token -> To retrieve the Application Framework access_token bound to the long term token. See the AUTOREFRESH Stage Variable at Application Customization to turn on the auto-refresh feature.
• GET: /token/refresh -> To trigger the token refresh operation and get the just refreshed access_token