1. Home
  2. /Developer
  3. /REST APIs
  4. /Airship API
  5. /Data Formats
  6. /OAuth

OAuth

Schemas for OAuth token requests, including scopes, assertion JWTs, and subject identifiers.

Assertion JWT

A JSON Web Token (JWT) used for authorization in OAuth token requests. The JWT must be signed with the private key corresponding to the client_id in the kid header using the ES384 algorithm.

All of
  • Headers object

    Assertion JWT headers

    OBJECT PROPERTIES
    • alg stringREQUIRED

      The signing algorithm.

      Possible values: ES384

    • kid stringREQUIRED

      The key used to sign the JWT, the client_id.

  • Claims object

    Assertion JWT claims

    OBJECT PROPERTIES
    • aud stringREQUIRED

      The valid request endpoint. Example: https://oauth2.asnapius.com/token

    • exp integerREQUIRED

      The assertion’s expiration timestamp in seconds since epoch, after which it is not valid. The expiry must not be more than 10 minutes in the future. This is for the assertion, not for the token that will be returned. Example: 1681862754

    • iat integerREQUIRED

      The issue timestamp in seconds since epoch. Example: 168186250

    • ipaddr string

      A space-delimited list of CIDR representations of valid IP addresses to which the issued token is restricted.

    • iss stringREQUIRED

      The issuer, the client_id.

    • nonce stringREQUIRED

      A unique string that must not have been used recently with this client_id. We will store this for a minimum of 2 hours. If you are relying on the nonce to defend against replay attacks, it is recommended to also enforce a narrow ipaddr range in order to prevent requests that utilize the returned access token from being replayed by an outside client.

    • scope object<OAuth Scope>

      A space-delimited list of scopes to which the returned claim should be restricted. If not provided, the full list of scopes the client_id is granted will be in the returned claim.

      The value of the scope parameter is a list of space-delimited, case-sensitive strings. If multiple scopes are specified, their order does not matter. Each string adds an additional access range to the requested scope.

      • att: Attachments
      • chn: Channels
      • evt: Events
      • lst: Lists
      • nu: Named Users
      • pln: Pipelines
      • psh: Push
      • sch: Schedules

    • sub object<Subject>REQUIRED

      A space-delimited set of identifiers for which subjects a token is allowed. An app subject is required. Example: app:JQIMcndxIHWy2QISpt1SpZ.

      A space-delimited set of identifiers for which subjects a token is allowed. Example: app:JQIMcndxIHWy2QISpt1SpZ

      • app: May operate on the given app

Used in:

OAuth Scope

The value of the scope parameter is a list of space-delimited, case-sensitive strings. If multiple scopes are specified, their order does not matter. Each string adds an additional access range to the requested scope.

  • att: Attachments
  • chn: Channels
  • evt: Events
  • lst: Lists
  • nu: Named Users
  • pln: Pipelines
  • psh: Push
  • sch: Schedules

Used in:

Subject

A space-delimited set of identifiers for which subjects a token is allowed. Example: app:JQIMcndxIHWy2QISpt1SpZ

  • app: May operate on the given app

Used in: