Skip to main content

Authentication

Protected WEDA APIs require a bearer token:

Authorization: Bearer {accessToken}

Two flows are available:

User TokenM2M Access Token (Client Credential)
Use whenInteractive testing and user-driven applicationsAutomated services, CI/CD, and backend pipelines
FlowOIDC SSO (5 steps)OAuth 2.0 Client Credentials
Expiry2 hoursDefined by expiredAt; does not expire when omitted or null
ScopeIAM role-basedTenant-scoped; accepts optional scopes and deviceIds
WEDA v1.1.0 Identity URL

Use identity as the ssoBaseUrl in WEDA v1.1.0. The previous {tenantPath}/identity and central/identity paths are no longer supported.


User Token (SSO)

The user token uses an OIDC-based SSO flow. Use the 0-WiseSso Postman collection from the WEDA API Collection — it handles cookie management and HTML parsing between steps automatically.

Configure the Postman Environment

Set these variables in the weda-core environment before running:

VariableExample valueDescription
loginyou@company.comYour WEDA account email
password••••••••Your WEDA account password
domainhttps://tpe.cloud.advantech.comBase URL for your WEDA deployment
tenantPathcentralTenant path segment
appPathwedaApplication path segment
ssoBaseUrlidentitySSO service path
Protect authentication secrets

Do not share or export a Postman environment that contains your password, clientSecret, access token, or refresh token.

Flow

Step 1 — Initialize SSO session

GET {domain}/{tenantPath}/portal/external-login
?returnUrl={domain}/{tenantPath}/{appPath}

Response: 302. Establishes the session context; tenantId is extracted from the redirect Location header.


Step 2 — Submit credentials

POST {domain}/{ssoBaseUrl}/api/v1.0/account/login
{
"account": "{login}",
"password": "{password}",
"tenantId": "{tenantId}"
}

Response: 200. Sets the Identity.Permission session cookie.


Step 3 — Obtain OIDC authorization code

GET {domain}/{tenantPath}/portal/external-login
?returnUrl={domain}/{tenantPath}/{appPath}

Response: 200 with an HTML form containing hidden code, state, and iss fields. The Postman script parses the HTML to extract form_action, code, state, and iss.


Step 4 — Complete OIDC sign-in

POST {form_action}
Content-Type: application/x-www-form-urlencoded

code={code}&state={state}&iss={iss}

Response: 302. Sets the AdvOidc.Login cookie.


Step 5 — Exchange for WEDA token

POST {domain}/{tenantPath}/{appPath}/api/v1/auth/tokens

No body — the call uses the cookies set in the previous steps.

See Create JWT access token for full field reference.

{
"accessToken": "eyJ...",
"refreshToken": "30a8e6b809ff43ac8abe267a5f93ef31",
"expiresIn": 7200,
"tokenType": "Bearer"
}

Use accessToken as your Bearer token. Tokens expire after 2 hours; use refreshToken to renew without repeating the full flow.

POST {domain}/{tenantPath}/{appPath}/api/v1/auth/tokens?grant_type=refresh_token
Content-Type: application/json

{
"refreshToken": "{refreshToken}"
}
Implementing without Postman

If you call these endpoints in code, your HTTP client must:

  • Preserve cookies across all 5 requests
  • Parse the HTML in step 3 to extract form_action and the hidden form fields

M2M Access Token (Client Credential)

Use for automated services, CI/CD pipelines, or any non-interactive caller.

Step 1 — Create a Client Credential

POST /api/v1/oauth2/client-credentials
{
"name": "my-service-prod",
"expiredAt": "2027-01-01T00:00:00Z",
"scopes": ["dataobject.read"],
"deviceIds": ["cc827f50f406"]
}

expiredAt, scopes, and deviceIds are optional. If you omit expiredAt or set it to null, the Client Credential does not expire.

See Create Client Credential for full field reference.

The response returns clientId and clientSecret. The secret is shown only once — store it immediately.

To manage existing credentials:

OperationAPI
List credentialsGET /api/v1/oauth2/client-credentials
Delete credentialDELETE /api/v1/oauth2/client-credentials/{id}

Deleting a Client Credential revokes it immediately. Any access token issued from that credential becomes invalid immediately.

Step 2 — Request an Access Token

POST {domain}/identity/connect/token
Content-Type: application/x-www-form-urlencoded

grant_type=client_credentials&client_id={clientId}&client_secret={clientSecret}
curl -X POST "{domain}/identity/connect/token" \
--data-urlencode "grant_type=client_credentials" \
--data-urlencode "client_id={clientId}" \
--data-urlencode "client_secret={clientSecret}"

Use the returned access token as your Bearer token.

note

A Client Credential is created at Tenant scope rather than under a specific Org. The creation request also accepts optional scopes and deviceIds.



Last updated on Jul-15, 2026 | Version 1.1.0