OAuth 2.0 Primer

A reference page to learn about OAuth 2.0 and JWT, Chassi's primary security mechanism.

Chassi uses OAuth 2.0 as its authentication protocol for connecting to Chassi API Endpoints. Also, if you subscribe to Chassi Webhooks, we will authenticate to your application using OAuth 2.0 as well. So when connecting to our API, you will need to set up an OAuth 2.0 client. And when you set up an endpoint for a Chassi Webhook to call, you will need to set up an OAuth 2.0 server, so you can authenticate Chassi as a client. In either case, there are very popular and well-supported libraries in all the major languages that make set up and deploying an OAuth client or OAuth server a snap.

We are not going to attempt to document OAuth and JWT for you. Instead, we will point you to some of the top learning resources for OAuth.

OAuth 2.0 & JWT Resources

The following resources are meant to help you understand OAuth a little better. But basically, the important thing that you understand is that OAuth for the Chassi API is like a rotating API key, and we use the client credentials grant type. You have a client secret which is provided in a Chassi Service Account that allows you to get the API Key as an access token from the authentication server and then that key expires after a short period of time, which leads you to get a new API Key/access token from the authentication server. You use the access token as an API Key in the header of your requests to the Chassi API Endpoint in order to have your request fulfilled. But don't worry, there are a ton of open source libraries for all the popular languages that help to get you up and running quickly.

The access token is formatted using JWT (JSON Web Tokens), which can be decoded.

It is important to note that there are different grant types in OAuth. Some of them are interactive where the user must give permission from a UI in order to proceed (e.g., Facebook login authorization to a 3rd party app) and non-interactive types which allow for a computer system to automatically and securely authenticate with another system. If you are new to OAuth, don't confuse yourself by trying to understand the various grant types and how each of them works. Getting straight to the point, just understand how to use the grant type Chassi uses, so you can be on your way quickly. Chassi API Endpoints uses the client credentials client_credentials grant type which allows your application to authenticate without a human or a UI in the middle of the process.

To connect to a Chassi API Endpoint, you need to use a Chassi Service Account.


What’s Next

Learn how to use a Chassi Service Account to connect to a Chassi API Endpoint.