Protect your API
SDKs and APIs
Get a user access token to test your APIs
This doc describes how to test user access tokens for your API connection, using Postman and Authorization code (with PKCE).
You can use this process to request tokens for your own and third-party APIs, and to test custom scopes added to claims. Below are the steps to generate id and access tokens with Postman.
For instruction on how to test M2M tokens, see XREF.
Before you begin
Link to this sectionRegister your API (recommended)
Link to this sectionIf you use audiences in your application, we recommend you register your API with Kinde so that you can include audience in the token request.
An audience defines the recipient of the token and ensures the token can only be used by the intended system. You can trust the token as is, but we would recommend you to use the API authentication using audience.
If you haven’t already, register your API with Kinde and set the audience.
Add custom scopes to the access token
Link to this sectionIf you have the relevant Kinde plan, and your API is registered, you can add custom scopes to user access tokens for added API security. You might want to test these as part of this procedure.
Step 1: Add callback URLs to your application in Kinde
Link to this section- In Kinde, go to Settings > Applications.
- Select View details on the tile for the application you’re testing.
- In the Allowed callback URLs section, add this Postman callback URL,
https://oauth.pstmn.io/v1/callbackas a separate entry on a new line. - Select Save.
Step 2: Send request via Postman
Link to this sectionIf you are using audiences in your application, we recommend you
-
In Postman, create a new GET request.
-
Go to the Authorization tab.
-
In the Type field, select OAuth 2.0.
-
Scroll down to the Configure New Token section and set the Grant Type as Authorization Code (With PKCE).
-
Select the Authorize using browser checkbox.
-
Set the Auth URL. For example:
https://yourbusiness.kinde.com/oauth2/auth?prompt=loginWhere:
yourbusiness.kinde.comis the domainprompt=loginforces asking for user credentials every login to disable SSO.
-
(If you’ve registered your API and use
audienceclaims in your product) Add theaudiencekey to the token request, with a value ofhttps://yourproduct.com/api. Note that Kinde supports multiple audiences. -
In the Access Token URL field enter your Kinde domain URL, e.g.
https://yourbusiness.kinde.com/oauth2/token. -
In the Client ID field, add the Client ID listed in the application the API is authorized for. You can find this in Kinde by going to Settings > Applications > View details > App keys section.
-
If you are testing a back-end app, Enter the Client Secret. This can be left blank for front-end apps.
-
Set the Code Challenge Method to SHA-256.
-
Leave the Code verifier field blank.
-
Set the value of Scope to openid email offline.
-
Enter a random value in the State field. It must be at least 8 characters long.
-
Select Get New Access Token. This should be the result:
- The ID token contains an
audclaim for two audiences, one for the application ID, one for the issuing party. - The Access token contains the
audclaim for the requested (intended) audience to authenticate the API. - The
azpclaim represents the applicationclient_idyou are using to issue the token.
- The ID token contains an
-
The access token you received can now be used to test and secure your APIs.
Step 3: Validate the token in your API
Link to this sectionCheck that the token contains the required information and is valid for accessing your application or site. Test may vary depending on your framework, here’s a general topic for verifying JWTs and some recommended libraries.
Things to check, include:
- Audience
- Lifetime / validity
- Scopes