API authentication

OAuth introspection can be used to authenticate API clients.

A single OAuth provider is required to store the identities of the agents used by the service. This OAuth provider must support dynamic client registration. Additional OAuth providers can be specified for authenticating users (also referred to as holders).

The specific OAuth provider that is used to introspect a request is selected by the contents of the OAuth-Provider HTTP header. If no OAuth-Provider HTTP header is provided in the request, the first configured OAuth provider is used.

For administrators, the scope field within the access token must be set to admin.

The sub (subject) field within the token must be set to the identifier of the corresponding IBM Verify Identity Access Digital Credentials agent.