Authentication

Last updated: 21 Nov 2024

Overview

PageUp APIs are secured using OAuth 2.0, which provides authentication and verification with bearer tokens which must be included in request headers.

Before generating an access token, you must obtain a client_id and client_secret from PageUp. These are referred to as 'client credentials' and can then be used to request an access token from the PageUp token endpoint. Please request these from your PageUp representative.


Contents

  1. Datacentres
  2. URL Format
  3. Access Control
  4. Requesting Client Credentials
  5. Access Token Requests
  6. Postman Collection

Datacentres

PageUp hosts customers all around the globe. To ensure efficient service to our customers, we use datacentres in multiple locations around the world. Each datacentre is assigned a unique identifier. Take not of the datacentre where your customer is hosted and contact your PageUp representative if clarification is required.

For example: https://login.dc2.pageuppeople.com/connect/token

Region Data Centre
AUS DC2
UK / EMEA DC3
US DC4
SEA DC5

URL Format

Root URL:
https://<environment>.<dataCentreId>.pageuppeople.com/connect/token

environment = 'login' for LIVE or 'loginuat' for UAT
dataCentreId = the data centre to connect to (e.g. dc2)

Examples:
LIVE environment for dc2: https://login.dc2.pageuppeople.com/connect/token
UAT environment for dc3: https://loginuat.dc3.pageuppeople.com/connect/token


Access Control

Access to PageUp APIs is restricted through the use of OAuth scopes. Generally these are automatically provisioned as per your contract request with PageUp, however should your requirements change, you can contact PageUp to discuss the scopes enabled for your credentials.


Requesting Client Credentials

Your client_id and client_secret is used to identify you as a consumer of PageUp APIs. To ensure the security of PageUp customer data, each client id can only be connected to one PageUp customer and one environment.

Each PageUp customer has both a UAT and LIVE environment. You will be provisioned UAT credentials until you are prepared to GO LIVE.

Security best practice highly recommends that you store your client_secret encrypted at rest, particularly if you plan to commit it to a shared repository.

To obtain these credentials please speak with your company's HR Super User or PageUp representative. HR Super Users should refer to the Requesting API Credentials article in the knowledge portal for more information (or please feel free to contact your Customer Success Manager).


Access Token Requests

Once created, access tokens are valid for n seconds as defined by the "expires_in" value. It is highly recommended that the token be reused until near expiry to improve performance.

Request Template

URL:
https://<environment>.<dataCentreId>.pageuppeople.com/connect/token
METHOD:
POST
HEADER:
{Content-Type:application/x-www-form-urlencoded}
BODY:
{client_id:<clientId>,
client_secret:<clientSecret>,
grant_type:client_credentials,
scope:<accessControlScope>}

clientId = PageUp supplied ID used to identify the consumer
clientSecret = PageUp supplied secret key paired to clientId
accessControlScope = Requested access scopes. Specify either a single scope or multiple scopes (separated by a space i.e "scopeA scopeB scopeC").

Example Authentication Response

{
    "access_token": "the_access_token_string",
    "expires_in": 300,
    "token_type": "Bearer"
    "scope": "Public.Application.Read Public.Application.Write"
}

Access Token Defintions

  • access_token = Token value.
  • expires_in = Lifetime of token in seconds.
  • token_type = The type of token. e.g. Bearer.

Example Access Token Usage

In endpoint requests, include the below in your header.

Header:
  Authorization: Bearer <access_token>

Postman Collection

The access token request Postman collection is available publicly below:

https://postman.com/puptechsolution/workspace/pageup-public-workspace/documentation/421061-72aab701-b61c-4a4d-97c6-3d1d33228c62