Skip to content
Developerhome
Product homepage
Authentication Service

Token structure

  Less than to read

Access token issued to an organisation

To receive an access token for an organisation send a POST request with the following headers:

POST /auth-v1/accessToken
Host: api-money.sage.com
Content-Type: application/json
X-Organisation-id:{organisation ID}
X-Application:sage.{app name}
X-Nonce: {unique value}
X-Signature:{signature}

Where:

  • POST /auth-v1/accessToken is the endpoint where you send your request.
  • api-money.sage.com is the your request’s base URL.
  • {organisation ID is the ID of the organisation you are requesting an access token for.
  • {app name} is the name of an app supported by, and in the format accepted by Service Fabric. For example: sage.intacct.
  • {unique value} is the value used in the X-Nonce header of your request. This must be an arbitrary percent-encoded string no more than 200 characters long, that is unique within the Auth Service. We recommend a GUID.
  • {signature} is the signature for your request. Read our generating an X-signature guide for more information.

JWT access token issued to an organisation:

eyJhbGciOiJSUzI1NiJ9.eyJjY1ZlcnNpb24iOiIxLjAuMC4wIiwib3JnYW5pc2F0aW9uSWQiOiI3ZWY5NGIzZC03ZWJhLTQ0YzktOTA4MC0wZjEwYjQzN2ZlMGMiLCJzb3VyY2VQcm9kdWN0Ijoic2FnZS5hY2NvdW50cyIsImtpZCI6IjYzODBlYmQwM2RkZGRhYzgwNmIwMGI0ZGE4OGRiYWFhODhjZDJjYTFhZDU4ZWRiOTY0NzA2ODhhYzM5ZTM2ZDMiLCJpcCI6IjJhMDYmI3gzYTs5OGMwJiN4M2E7MzYwMCYjeDNhOyYjeDNhOzEwMyIsImlzcyI6IndwYi1hdXRoIiwiY2hhbm5lbCI6ImRlc2t0b3AtY2hhbm5lbCIsImV4cCI6MTY3NzE0MzQyMiwic2VydmljZUlkIjoid3BiLWF1dGgtc2VydmljZSIsImlhdCI6MTY3NzE0MjIyMn0.LtlsfjXBHIuZUR5g6XmN3oaliPvg2fJSmfoYsFTQTlhpZkRkettP93E9tqmwa4c_ETWMYr6clA4GXdJr_nYvd0Nx5QGO01mSuny0oWphxyEIAlcFs5fAH74OQNorjQjwkdb7soVUW3n7ievSInM9-wdHoq3xJN42Dq0OYkwcebea0zMFxUCdbxWeseb_GQ8Alcl6qtY6HawU9muKiaJQ_gQisz2xmpWIe4FbvnO7dhXfv5ZqrBHaY-fGPRWz_DMU-5uqr5Eh7_qiLF_kU_W_mvtuJG0i_NDsU13lhJKZlRx1MepaJIKlLN4Ccxaydzqk__vZsIIMxadN9uhOwJdUfg

Decoded JSON

{
  "ccVersion": "1.0.0.0",
  "organisationId": "7ef94b3d-7eba-44c9-9080-0f10b437fe0c",
  "sourceProduct": "sage.accounts",
  "kid": "6380ebd03ddddac806b00b4da88dbaaa88cd2ca1ad58edb96470688ac39e36d3",
  "ip": "2a06:98c0:3600::103",
  "iss": "wpb-auth",
  "channel": "desktop-channel",
  "exp": 1677143422,
  "serviceId": "wpb-auth-service",
  "iat": 1677142222
}

Where:

  • ccVersion is the common component version.
  • organisationId is the ID of the organisation the token has been issued to.
  • sourceProduct is application ID of the product that the organisation has been created in.
  • kid is the ID of the signing key used to sign the request.
  • ip is the IPv6
  • iss is the issuer of the token.
  • channel will be either ‘desktop-channel’ or ‘online-channel’ depending on the application type. ‘online-channel’ is for cloud application only. On premises web applications and desktop applications will be ‘desktop-channel’.
  • exp is the expiration time of the access token.
  • serviceId is the service that the access token was issued from.
  • iat is the time the access token was issued at.

You can use the access token for the organisation to create companies.

Access token issued to a company

To receive an access token for a company send a POST request with the following headers:

POST /auth-v1/accessToken
Host: api-money.sage.com
Content-Type: application/json
X-Organisation-Id:{organisation ID}
X-Company-Id:{company ID}
X-Application:sage.{app name}
X-Nonce: {unique value}
X-Signature:{signature}

Where:

  • POST /auth-v1/accessToken is the endpoint where you send your request.
  • api-money.sage.com is the your request’s base URL.
  • {organisation ID is the ID of the organisation that the company you are requesting an access token for belongs to.
  • {company ID is the ID of the company you are requesting an access token for.
  • {app name} is the name of an app supported by, and in the format accepted by Service Fabric. For example: sage.intacct.
  • {unique value} is the value you use in the X-Nonce header of your request. This must be an arbitrary percent-encoded string no more than 200 characters long, that is unique within the Auth Service. We recommend a GUID.
  • {signature} is the signature for your request. Read our generating an X-signature guide for more information.

JWT access token issued to a company:

eyJhbGciOiJSUzI1NiJ9.eyJjY1ZlcnNpb24iOiIxLjAuMC4wIiwiY29tcGFueUlkIjoiMjEwNzM1MjQtNGIzNy00NmViLTlkOWYtYTA0MTBjY2JkYTg4Iiwib3JnYW5pc2F0aW9uSWQiOiI3ZWY5NGIzZC03ZWJhLTQ0YzktOTA4MC0wZjEwYjQzN2ZlMGMiLCJzb3VyY2VQcm9kdWN0Ijoic2FnZS5hY2NvdW50cyIsImtpZCI6IjYzODBlYmQwM2RkZGRhYzgwNmIwMGI0ZGE4OGRiYWFhODhjZDJjYTFhZDU4ZWRiOTY0NzA2ODhhYzM5ZTM2ZDMiLCJpcCI6IjJhMDYmI3gzYTs5OGMwJiN4M2E7MzYwMCYjeDNhOyYjeDNhOzEwMyIsImlzcyI6IndwYi1hdXRoIiwiY2hhbm5lbCI6ImRlc2t0b3AtY2hhbm5lbCIsIm5ldHdvcmtJZCI6InNhZ2UuYWNjb3VudHMrMTIzLTEyMy0xMjQiLCJleHAiOjE2NzcxNDM2NTcsInNlcnZpY2VJZCI6IndwYi1hdXRoLXNlcnZpY2UiLCJpYXQiOjE2NzcxNDI0NTd9.gBPtpRjegAlfUmdp7HDLzO0eP68xBD7PQh6oK6dUpKCgKl8nVAqQMsEhRLz2hOak5R3smSXx-v8yW9XR9CoZd4MNjwrPUFWB5ktuulJmfocppHo4I4KBOdEIudkO0icWhnHry54gcomhmUPctVP-xTuU0v0gLP2PBnEcQzJf6qTFw-e7uoxsYgPgoKXaXtMBUCDwVmchBCkjY3TrDUXwefm58eSg96RFyEQHJnTH9AYwp2FVbDL0D1SQYl1KGVf3BBoyTo-2yJtywKm0e_hM8_23RvWhNNlhztIBHbRHLiWgbxWa6kmf8TdBbitBVMonZAmQoFenrc1tecGdw3UERA

Decoded JSON

{
  "ccVersion": "1.0.0.0",
  "companyId": "21073524-4b37-46eb-9d9f-a0410ccbda88",
  "organisationId": "7ef94b3d-7eba-44c9-9080-0f10b437fe0c",
  "sourceProduct": "sage.accounts",
  "kid": "6380ebd03ddddac806b00b4da88dbaaa88cd2ca1ad58edb96470688ac39e36d3",
  "ip": "2a06:98c0:3600::103",
  "iss": "wpb-auth",
  "channel": "desktop-channel",
  "networkId": "sage.accounts+123-123-124",
  "exp": 1677143657,
  "serviceId": "wpb-auth-service",
  "iat": 1677142457
}

Where:

  • ccVersion is the common component version.
  • companyId is the ID of the company the token has been issued to.
  • organisationId is the ID of the organisation that the company belongs to.
  • sourceProduct is application ID of the product that the organisation has been created in.
  • kid is the ID of the signing key used to sign the request.
  • ip is the IPv6
  • iss is the issuer of the token.
  • channel will be either ‘desktop-channel’ or ‘online-channel’ depending on the application type. ‘online-channel’ is for cloud application only. On premises web applications and desktop applications will be ‘desktop-channel’.
  • networkId is a combination of the application ID and the external ID which was used to create the company.
  • exp is the expiration time of the access token.
  • serviceId is the service that the access token was issued from.
  • iat is the time the access token was issued at.

You can use the access token for the company to call Service Fabric Services.