Manage the authentication experience
Auth and access
This doc describes how to test the security of token exchange for your API connection and M2M apps, using Postman and Authorization code (with PKCE).
You can use this process to request tokens for your own and third-party APIs, and to test custom scopes added to claims. Below are the steps to generate id
and access
tokens with Postman.
If you are testing user access tokens, see Get a user access token to test your APIs.
If you haven’t already, register your API with Kinde and set the audience.
If you have the relevant Kinde plan, you can add custom scopes to M2M access tokens for added API security. You might want to test these as part of this procedure.
To securely connect to Kinde’s API, you need to obtain an access token. This procedure describes how to get the token using Postman - an API platform - but you can follow similar steps in your own app environment.
We recommend you do this in a non-production environment first. If you decide to use Postman, we recommended that you set up a Postman environment.
Add your machine to machine application keys as environment variables.
Set up a new collection or use your existing one.
Go to the Authorization tab and ensure the Type is OAuth 2.0 and the Header Prefix is set to Bearer.
In the Configure New Token section, set the Grant Type to Client Credentials. This is the grant type for hitting your API.
Enter the Access Token URL, using the domain variable you created above. For example, https://yourbusiness.kinde.com/oauth2/token
. Note that even if you use a custom subdomain domain, the access token URL needs to include the kinde.com
domain.
Enter the Client ID and Client Secret for the M2M application you created in Kinde.
Set the audience to match the audience
value for the API you registered in Kinde. To do this:
Scroll down and expand the Advanced section.
Add audience
as the key and paste the URL as the value.
Set Send in to Request body
In the Authorization section, select Get New Access Token. If it works, you should see a confirmation message.
Select Use Token. You should now have the access token.
Check that the token contains the required information and is valid. Testing methods may vary depending on your framework, here’s a general topic for verifying JWTs and some recommended libraries.
Things to check, include: