APIs
An API in Optare represents a protected resource that your applications can access. Define APIs to enable fine-grained authorization with scopes.
Why Define APIs?
When you define an API, you can:
- Issue access tokens with specific
audienceclaims - Control which applications can access which resources
- Define custom scopes for granular permissions
Create an API
- Go to Optare Console (opens in a new tab)
- Navigate to APIs
- Click Create API
API Settings
| Field | Description | Example |
|---|---|---|
| Name | Display name | My Backend API |
| Identifier | Unique URI (used as audience) | https://api.myapp.com |
| Signing Algorithm | Token signature algorithm | RS256 (recommended) |
Scopes
Scopes define what actions can be performed on the API.
Create Scopes
| Scope | Description |
|---|---|
read:users | View user information |
write:users | Create/update users |
delete:users | Delete users |
admin | Full administrative access |
Best Practices
- Use
resource:actionformat (e.g.,read:projects) - Keep scopes granular
- Avoid catch-all scopes like
*
Using APIs
Request Token with Audience
const { accessToken } = await client.auth.getToken({
audience: 'https://api.myapp.com',
scope: 'read:users write:users',
});Validate in Your API
const { payload } = await jose.jwtVerify(token, JWKS, {
audience: 'https://api.myapp.com',
issuer: 'https://id.optare.one',
});
// Check scopes
const scopes = payload.scope?.split(' ') || [];
if (!scopes.includes('read:users')) {
throw new ForbiddenError('Missing read:users scope');
}Machine-to-Machine (M2M) Access
For backend services accessing your API:
- Create an M2M application
- Authorize it to access your API
- Grant specific scopes
const token = await client.auth.getM2MToken({
clientId: 'service_client_id',
clientSecret: process.env.SERVICE_SECRET,
audience: 'https://api.myapp.com',
scope: 'read:users',
});Next Steps
- Applications - OAuth client setup
- Node.js Quickstart - Validate tokens
- RBAC - Role-based access control