From July 1st 2021, Refresh Tokens are deprecated and not issued anymore as part of the default behavior for authentication. According to the RFC for Client Credentials grant flow,
A refresh token SHOULD NOT be included in the response of the auth request. We urge all developers to adjust their clients for this behavior. Currently, we allow for this possibility by passing
access_token_only scope while making the Auth request. More details can be found here.
From July 1st 2021, the scope
access_token_only will not be required anymore to issue only access tokens as this will become the default behavior for every authentication request.
The Authentication API is used to generate access tokens for use with the zDirectAPI.
The zDirect API uses OAuth 2.0 to authenticate and authorize client access.
No scopes are required to use the Authentication API.
Many zDirect APIs require clients to have specific permissions or scopes for read or write access. You may assign scopes to your apps in the "Applications" section of the zDirect Portal.
For more information on configuring app scopes, see the Applications section of our zDirect Portal guide.
Each app may only request a limited number of access token requests per minute:
Clients that violate our access token request policies may be rate limited, or even banned. For more information, see Rate Limiting.
Calls to the Authentication API in the sandbox environment are rate limited to one request per minute. Otherwise, they are handled in the same way as calls made in the production environment.
Note that tokens requested in the production environment cannot be used to make sandbox calls, and vice versa.
For more information, see Sandbox Testing in our Getting Started Guide.
- For detailed instructions on Authentication and a guide to using this API, see Authentication in our Developer Guide.
- For a brief tutorial that walks through using our Authentication API, see the Quick Start Guide.
- For an Authentication API OpenAPI reference, see OpenAPI Specification: Authentication API.
- For more information on OAuth, see https://www.oauth.com/.