Getting Your First Token
Three authentication tracks are supported. Pick the one that matches your integration type.
Client Credentials (Backend Services)
Use this for machine-to-machine integrations — backend services, ETL pipelines, and testing.
curl -X POST http://localhost:5000/connect/token \
-H "Content-Type: application/x-www-form-urlencoded" \
-d "grant_type=client_credentials" \
-d "client_id=YOUR_CLIENT_ID" \
-d "client_secret=YOUR_CLIENT_SECRET" \
-d "scope=admin.read"
Response:
{
"access_token": "eyJhbGciOiJSUzI1NiJ9...",
"expires_in": 3600,
"token_type": "Bearer"
}
Use the token: Authorization: Bearer eyJhbGciOiJSUzI1NiJ9...
API Key (POS Terminals)
API keys are created via the Admin API (POST /admin/api/v1/clients). The key is returned once — store it securely.
# No token request needed — use the key directly
curl -X GET "http://localhost:5003/pos/api/v1/members/lookup?phone=5551234567" \
-H "X-Api-Key: rsa_live_a1b2c3d4..."
API keys are shown only once on creation. If you lose the key, rotate it via POST /admin/api/v1/clients/{id}/rotate-secret.
PKCE (Browser / Human Login)
The PKCE flow requires a browser redirect. If you are building a web app, use a library like NextAuth.js. The existing admin portals use next-auth with the IS7 PKCE provider.
1. Redirect to GET http://localhost:5000/connect/authorize
?client_id=YOUR_APP
&redirect_uri=http://localhost:3001/api/auth/callback/rsa
&response_type=code
&scope=openid admin.read
&code_challenge=BASE64URL(SHA256(code_verifier))
&code_challenge_method=S256
2. User logs in and consents
3. IS7 redirects back to your redirect_uri with ?code=AUTH_CODE
4. Exchange code:
POST http://localhost:5000/connect/token
grant_type=authorization_code
code=AUTH_CODE
code_verifier=YOUR_VERIFIER
client_id=YOUR_APP
redirect_uri=http://localhost:3001/api/auth/callback/rsa
See PKCE Flow for the full flow with code examples.