Search
K

Authentication

All USBC APIs require an OAuth 2.0 bearer token issued by the USBC identity provider. Applications use the client credentials grant — there's no end-user redirect flow.

The flow

┌──────────────┐    1. client_id + client_secret    ┌──────────────┐
│ Your service │ ─────────────────────────────────► │ /oauth/token │
└──────────────┘                                     └──────────────┘
       ▲                                                    │
       │                  2. access_token                   │
       │ ◄──────────────────────────────────────────────────┘
       │
       │    3. Authorization: Bearer <token>
       ▼
┌──────────────┐
│ USBC API     │
└──────────────┘

Token endpoint

EnvURL
Sandboxhttps://api.kong.globalid.dev/oauth/token
Productionhttps://api.kong.global.id/oauth/token (once provisioned)

Request:

curl -X POST https://api.kong.globalid.dev/oauth/token \
  -H "Content-Type: application/json" \
  -d '{
    "grant_type": "client_credentials",
    "client_id":     "<your-client-id>",
    "client_secret": "<your-client-secret>",
    "scope":         "openid"
  }'

Response:

{
  "access_token": "eyJhbGciOiJSUzI1NiIs...",
  "token_type":   "Bearer",
  "expires_in":   3600,
  "scope":        "openid"
}

Using the token

Attach it as a Bearer header on every API request:

GET /v1/users/me HTTP/1.1
Host: api.kong.globalid.dev
Authorization: Bearer eyJhbGciOiJSUzI1NiIs...

Token lifetime & refresh

  • Default TTL: 1 hour (expires_in: 3600).
  • No refresh token — re-issue with the credentials when needed.
  • Cache the token in your service and re-request a few minutes before expiry to avoid 401 thrash.

Common errors

CodeMeaningFix
401 invalid_clientWrong client id/secret.Re-check copy/paste. Secret is shown only once at creation.
401 invalid_tokenToken expired or malformed.Re-issue token. Don't strip the Bearer prefix.
403 insufficient_scopeApp not subscribed to that API.Subscribe to the API from My Applications.

For a complete error catalogue, see Errors & Rate Limits.

Rotating secrets

From My Applications → your app → Credentials you can rotate the client_secret. Both the old and new secret are valid for 60 seconds during the rotation window, giving you a deploy slot to update production config without downtime.