Authentication

The Client Credentials Flow (defined in OAuth 2.0 RFC 6749, section 4.4) will be used by the Motorweb API Gateway to authenticate and authorise clients.

Environments

The following are the Base URLs for the environments available. Each environment will require its own set of client credentials, i.e. you cannot use the client credentials in the Production environment in Test.

Environment
Base URL

Test

https://api.tst.motorweb.app

Production

https://api.motorweb.app

Getting the Access Token

To access our APIs clients must first make a POST request to /auth/v1/token endpoint with their client credentials to exchange for an access token.

Request

URL

/auth/v1/token

Method

POST

Required Headers

Content-Type: application/x-www-form-urlencoded

Form Parameters

grant_type=client_credentials&client_id=<CLIENT_ID>&client_secret=<CLIENT_SECRET>

Example request for the test environment using curl:

Make sure you replace [CLIENT_ID] and [CLIENT_SECRET] with the client credentials shared with you.

curl --request POST \
 --url https://api.tst.motorweb.app/auth/v1/token \
 --header 'content-type: application/x-www-form-urlencoded' \
 --data grant_type=client_credentials \
 --data client_id=[CLIENT_ID] \
 --data client_secret=[CLIENT_SECRET]

Response

The endpoint will return the following response.

{
 "token_type": "Bearer",
 "issued_at": "1712272706170",
 "client_id": "wmUB6jn1LV2eGmy6VQY655L2J2pqiezKwJIAjwCz5NGRIARJ",
 "access_token": "eyJ...[REDACTED]",
 "application_name": "8134c8d0-fa55-4bf0-b817-d795c5f41123",
 "scope": "",
 "expires_in": 3599
}

The access_token field will contain a JWT token for used for making API calls to our other APIs. The access token will be valid for the next 60 min and its expiry timestamp can be obtained by decoding the JWT and inspecting the exp field. A new token can be obtained by calling the /auth/v1/token endpoint. It is the client’s responsibility to implement a token refresh strategy to avoid the usage of expired tokens, which will lead to errors. To optimise performance and reduce unnecessary requests, we recommend caching and reusing your JWT access token for as long as its expiration allows.

Making API Calls

A non-expired JWT access token from the /auth/v1/token endpoint must be included in the Authorization header when making calls to our API. The format for the Authorization header should be as follows where the token must be preceded by Bearer.

Authorization: Bearer eyJ...{REST_OMMITTED}

Example request for the test environment using curl:

Make sure you replace [JWT_ACCESS_TOKEN] with the bearer token from the steps above

curl --request GET \
 --url https://api.tst.motorweb.app/market-data/v1/vehicles/plate/ABC123 \
 --header 'authorization: Bearer [JWT_ACCESS_TOKEN]'
PreviousBulk Data Platform APIsNextBatch Services Information APIs

Last updated