Access-Token
In order to perform any requests against the Webgate API you first need to authenticate using the Authorize Code Flow of the OAuth2 standard.
See http://tools.ietf.org/html/draft-ietf-oauth-v2-22#section-4.1 for the specification of the protocol.
All subsequent requests can be authorized using the access token which will be received via this protocol.
Registering a client
First, your client needs to be registered. For this, please send us your Redirection URI(s), and the name of your client. It is supposed to be easily recognized by webgate-users who are going to authorize your client. You will also need a webgate user to which the client will be bound to.
All the necessary data, like the client_id and secret_id, can be found within the menu "MyProfile", once your client has been registered to your user.
Also there, users can see all their authorized clients and revoke access grants at any time. In this case, the flow would have to be repeated.
Validity
A token expires after 24 hours. If the user hasn't revoked the authorization, a new token can be generated at any time. Your application should do this automatically.
Invalidating an access token
Tokens can be invalidated.
To do this, send a POST request to /oauth/revoke. The request needs to carry the access token, of course.
Example:
POST /oauth/revoke HTTP/1.1 Authorization: Bearer example-token
Successful Response:
HTTP/1.1 200 OK Content-Type: application/json {}