Authentication
Protected WEDA APIs require a bearer token:
Authorization: Bearer {accessToken}
Two flows are available:
| User Token | M2M Access Token (Client Credential) | |
|---|---|---|
| Use when | Interactive testing and user-driven applications | Automated services, CI/CD, and backend pipelines |
| Flow | OIDC SSO (5 steps) | OAuth 2.0 Client Credentials |
| Expiry | 2 hours | Defined by expiredAt; does not expire when omitted or null |
| Scope | IAM role-based | Tenant-scoped; accepts optional scopes and deviceIds |
Use identity as the ssoBaseUrl in WEDA v1.1.0. The previous
{tenantPath}/identity and central/identity paths are no longer supported.
User Token (SSO)
The user token uses an OIDC-based SSO flow. Use the 0-WiseSso Postman collection
from the WEDA API Collection
— it handles cookie management and HTML parsing between steps automatically.
Configure the Postman Environment
Set these variables in the weda-core environment before running:
| Variable | Example value | Description |
|---|---|---|
login | you@company.com | Your WEDA account email |
password | •••••••• | Your WEDA account password |
domain | https://tpe.cloud.advantech.com | Base URL for your WEDA deployment |
tenantPath | central | Tenant path segment |
appPath | weda | Application path segment |
ssoBaseUrl | identity | SSO service path |
Do not share or export a Postman environment that contains your password,
clientSecret, access token, or refresh token.
Flow
Step 1 — Initialize SSO session
GET {domain}/{tenantPath}/portal/external-login
?returnUrl={domain}/{tenantPath}/{appPath}
Response: 302. Establishes the session context; tenantId is extracted from
the redirect Location header.
Step 2 — Submit credentials
POST {domain}/{ssoBaseUrl}/api/v1.0/account/login
{
"account": "{login}",
"password": "{password}",
"tenantId": "{tenantId}"
}
Response: 200. Sets the Identity.Permission session cookie.
Step 3 — Obtain OIDC authorization code
GET {domain}/{tenantPath}/portal/external-login
?returnUrl={domain}/{tenantPath}/{appPath}
Response: 200 with an HTML form containing hidden code, state, and iss
fields. The Postman script parses the HTML to extract form_action, code,
state, and iss.
Step 4 — Complete OIDC sign-in
POST {form_action}
Content-Type: application/x-www-form-urlencoded
code={code}&state={state}&iss={iss}
Response: 302. Sets the AdvOidc.Login cookie.
Step 5 — Exchange for WEDA token
POST {domain}/{tenantPath}/{appPath}/api/v1/auth/tokens
No body — the call uses the cookies set in the previous steps.
See Create JWT access token for full field reference.
{
"accessToken": "eyJ...",
"refreshToken": "30a8e6b809ff43ac8abe267a5f93ef31",
"expiresIn": 7200,
"tokenType": "Bearer"
}
Use accessToken as your Bearer token. Tokens expire after 2 hours; use
refreshToken to renew without repeating the full flow.
POST {domain}/{tenantPath}/{appPath}/api/v1/auth/tokens?grant_type=refresh_token
Content-Type: application/json
{
"refreshToken": "{refreshToken}"
}
If you call these endpoints in code, your HTTP client must:
- Preserve cookies across all 5 requests
- Parse the HTML in step 3 to extract
form_actionand the hidden form fields
M2M Access Token (Client Credential)
Use for automated services, CI/CD pipelines, or any non-interactive caller.
Step 1 — Create a Client Credential
POST /api/v1/oauth2/client-credentials
{
"name": "my-service-prod",
"expiredAt": "2027-01-01T00:00:00Z",
"scopes": ["dataobject.read"],
"deviceIds": ["cc827f50f406"]
}
expiredAt, scopes, and deviceIds are optional. If you omit expiredAt
or set it to null, the Client Credential does not expire.
See Create Client Credential for full field reference.
The response returns clientId and clientSecret.
The secret is shown only once — store it immediately.
To manage existing credentials:
| Operation | API |
|---|---|
| List credentials | GET /api/v1/oauth2/client-credentials |
| Delete credential | DELETE /api/v1/oauth2/client-credentials/{id} |
Deleting a Client Credential revokes it immediately. Any access token issued from that credential becomes invalid immediately.
Step 2 — Request an Access Token
POST {domain}/identity/connect/token
Content-Type: application/x-www-form-urlencoded
grant_type=client_credentials&client_id={clientId}&client_secret={clientSecret}
curl -X POST "{domain}/identity/connect/token" \
--data-urlencode "grant_type=client_credentials" \
--data-urlencode "client_id={clientId}" \
--data-urlencode "client_secret={clientSecret}"
Use the returned access token as your Bearer token.
A Client Credential is created at Tenant scope rather than under a specific Org.
The creation request also accepts optional scopes and deviceIds.
Related
- User & Role Management — manage user accounts and IAM roles
- WEDA Postman API Collection
— download the
0-WiseSsoand1-Org&ClientCrendcollections - Postman walkthrough (SSO): Get Access Token
- Postman walkthrough (M2M): M2M Access