The web application supports automatic logging into an embedded iframe by adding an access token to the iframe URL. Below is a clear, reworded explanation of how to obtain and use the token.
You need the reseller client_id (Web API Key)and client_secret (API Secret Key) to authenticate with the API.
If you don’t have these, contact support.
The email address of the user you want to log in as.
Authentication endpoint: https://yourdomain/api/token
Send a POST request to the authentication URL with these parameters in the request body:
POST https://yourdomain/api/token
{
"client_id": "xxxxx",
"client_secret": "******",
"grant_type": "password",
"username": "usermail@demo.com"
}
A successful request returns a JSON object containing the access token and expiry information, for example:
{
"token_type": "Bearer",
"access_token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9....",
"expires_in": 7200,
"expiration": "2023-01-25T09:26:31Z"
}
access_token
is the value you will append to the iframe URL.
expires_in
(seconds) / expiration
indicate when the token becomes invalid.
Add the token as a query parameter to the iframe URL, for example:
http://yourdomain.com/new?access_token=xxxxxxxxxxxxxx
Embedding that URL in an <iframe>
will allow the webapp to bypass the normal login flow for the user represented by the token.
Security note: Treat client credentials and access tokens as sensitive. Keep them secret