Access Token

Access Tokens are credentials used by applications to access API's protected resources. An Access Token is a string representing an authorization issued to the client. Tokens represent specific scopes and durations of access, granted by the resource owner and enforced by the API as well as the authorization server.

Its purpose is to inform the API that the bearer of this token has been authorized to access the API and perform specific actions (as specified by the scope that is granted). The Access Token should be used as a bearer credential and transmitted in an HTTP Authorization header to the API.

The following table describes the claims returned in the Access Token.

Claim	Description	Example
client_id	Client identity of the client that requested the authentication (your applications client_id).	demoapp
scope	A list of scopes that the user has access to	[ "openid", "profile", "email" ]
tenant_id	If you request the scope tenants and enable it as Identity claim you will receive your current Tenant ID context (only present for tenant enabled applications)	9ea83b40-1ce9-4f2d-a1ac-2b0f28001bb6
auth_time	Time when the authentication occured. Number representing seconds since 01.01.1970. Not returned to “services” (non-interactive apps).	1498217219
sub	Visma Connect Unique User ID of authenticated user. This value is immutable and remains the same for the lifetime of the account. Not returned to “services” (non-interactive apps).	1072cd43-d99a-4d44-84a2-5f80720c1a19
sub_external_id	Only Applicable to Interactive APIs. If you request the scope sub_external_id and enable it as Identity claim you will receive your external user id set by Connect Public API method “Add ExternalID for an Application linked to User”). Note: The external user id is prepended with your specific "clientid:", resulting in the formatted string "clientid:123456". Not returned to “services” (non-interactive apps).	demoapp:123456
aud	Audiences. A list of API URIs that have scopes in the Access Token	["https://api1.visma.com/resources", "https://api2.visma.com"]
nbf	Not before Time in Unix Time Stamp (Epoch time)	1501591804
iss	Issuer	https://connect.visma.com
exp	Expiration Time in Unix Time Stamp (Epoch time)	1501601800
jti (optional; must be enabled for your Application)	Json Web Token ID. A unique identifier for the JWT.	234hhjfhjk342hkh4hkj324hkjh42343khfs1jf
act	The act (actor) claim provides a means to express that delegation has occurred and identify the acting party to whom authority has been delegated. The act claim value is a JSON object, and members in the JSON object are claims that identify the actor. Not returned to “services” (non-interactive apps).	{ // client ID who has been delegated: "client_id": "delegateClient1", // Currently not supported: String identifying the subject (user) impersonated: "sub": "7a36c1ed-15e6-4597-b452-a5e5bd268286" }
may_act	If you are allowing Token Exchange Delegation to trusted apps then your access token will include the unique set of clients you have allowed delegation to. Not returned to “services” (non-interactive apps).	{ // String or array of client IDs who can exchange the token: "client_id": ["delegateClient1", "delegateClient2"], // Currently not supported: String or array identifying the actor token User(s) for delegation: "sub": "7a36c1ed-15e6-4597-b452-a5e5bd268286" }

Claim

Description

Example

client_id

Client identity of the client that requested the authentication (your applications client_id).

demoapp

scope

A list of scopes that the user has access to

[ "openid", "profile", "email" ]

tenant_id

If you request the scope tenants and enable it as Identity claim you will receive your current Tenant ID context (only present for tenant enabled applications)

9ea83b40-1ce9-4f2d-a1ac-2b0f28001bb6

auth_time

Time when the authentication occured. Number representing seconds since 01.01.1970. Not returned to “services” (non-interactive apps).

1498217219

sub

Visma Connect Unique User ID of authenticated user. This value is immutable and remains the same for the lifetime of the account. Not returned to “services” (non-interactive apps).

1072cd43-d99a-4d44-84a2-5f80720c1a19

sub_external_id

Only Applicable to Interactive APIs. If you request the scope sub_external_id and enable it as Identity claim you will receive your external user id set by Connect Public API method “Add ExternalID for an Application linked to User”). Note: The external user id is prepended with your specific "clientid:", resulting in the formatted string "clientid:123456". Not returned to “services” (non-interactive apps).

demoapp:123456

aud

Audiences. A list of API URIs that have scopes in the Access Token

["https://api1.visma.com/resources", "https://api2.visma.com"]

nbf

Not before Time in Unix Time Stamp (Epoch time)

1501591804

iss

Issuer

https://connect.visma.com

exp

Expiration Time in Unix Time Stamp (Epoch time)

1501601800

jti (optional; must be enabled for your Application)

Json Web Token ID. A unique identifier for the JWT.

234hhjfhjk342hkh4hkj324hkjh42343khfs1jf

act

The act (actor) claim provides a means to express that delegation has occurred and identify the acting party to whom authority has been delegated. The act claim value is a JSON object, and members in the JSON object are claims that identify the actor.

Not returned to “services” (non-interactive apps).

{

// client ID who has been delegated:

"client_id": "delegateClient1",

// Currently not supported: String identifying the subject (user) impersonated:

"sub": "7a36c1ed-15e6-4597-b452-a5e5bd268286"

}

may_act

If you are allowing Token Exchange Delegation to trusted apps then your access token will include the unique set of clients you have allowed delegation to. Not returned to “services” (non-interactive apps).

{

// String or array of client IDs who can exchange the token:

"client_id": ["delegateClient1", "delegateClient2"],

// Currently not supported: String or array identifying the actor token User(s) for delegation:

"sub": "7a36c1ed-15e6-4597-b452-a5e5bd268286"

}