Authentication API

The Froomle Authentication API provides OAuth 2.0 Bearer tokens for machine-to-machine authentication. Conceptual information, browser integration rules, and token refresh guidance are documented in the Authentication Flow guide.

Endpoints

Get access token

Obtain an access token using Froomle-provided client credentials.

POST /oauth/token

Use the tenant-specific host:

https://<tenant>.froomle.com/oauth/token

Request

Send the token request as application/x-www-form-urlencoded.

Type Name Description

Type	Name	Description
Body	`client_id`	Required. The client ID provided by Froomle.
Body	`client_secret`	Required. The client secret provided by Froomle.
Body	`grant_type`	Required. Must be `client_credentials`.

Body

client_id

Required. The client ID provided by Froomle.

Body

client_secret

Required. The client secret provided by Froomle.

Body

grant_type

Required. Must be client_credentials.

Do not send scope or audience. Froomle assigns scopes and audience to the client credentials.

Responses

HTTP Code Description Schema

HTTP Code	Description	Schema
`200`	The token was successfully generated.	Token Response
`400`	The request is malformed, for example missing required credentials.	No Content
`401`	The client credentials are invalid.	No Content

200

The token was successfully generated.

Token Response

400

The request is malformed, for example missing required credentials.

No Content

401

The client credentials are invalid.

No Content

Form-encoded cURL example

curl --location --request POST 'https://<tenant>.froomle.com/oauth/token' \
  --header 'Content-Type: application/x-www-form-urlencoded' \
  --data-urlencode 'grant_type=client_credentials' \
  --data-urlencode 'client_id=<CLIENT_ID>' \
  --data-urlencode 'client_secret=<CLIENT_SECRET>'

JWKS endpoint

The tenant JWKS endpoint exposes public signing keys for Froomle-issued tokens. Most integrations do not need this endpoint unless they validate tokens locally.

GET /.well-known/jwks.json

curl --location 'https://<tenant>.froomle.com/.well-known/jwks.json'

Cache the JWKS response and refresh it if token validation fails because signing keys can rotate.

Definitions

Token Response

The response containing the access token.

Name Description Schema

Name	Description	Schema
`access_token`	Required. The generated JWT access token.	string
`expires_in`	Required. The number of seconds until the token expires. The default is 86400.	integer
`scope`	Optional. The scopes assigned to the token, for example `environment:* full:all`.	string
`token_type`	Required. The token type, typically `Bearer`.	string

access_token

Required. The generated JWT access token.

string

expires_in

Required. The number of seconds until the token expires. The default is 86400.

integer

scope

Optional. The scopes assigned to the token, for example environment:* full:all.

string

token_type

Required. The token type, typically Bearer.

string

Example:

{
  "access_token": "...",
  "expires_in": 86400,
  "scope": "environment:* full:all",
  "token_type": "Bearer"
}