Authentification
Chaque intégration possède une paire client_id / client_secret, échangée contre un token OAuth 2.0 Client Credentials signé RS256. Les scopes accordés à la création de la clé déterminent les routes accessibles.
POST
/v1/auth/tokenÉchange client_id/client_secret contre un access_token
Requête
{
"grant_type": "client_credentials",
"client_id": "sk_sandbox_xxx",
"client_secret": "your_secret",
"scope": "match:read profile:write"
}Réponse
{
"access_token": "eyJ...",
"refresh_token": "eyJ...",
"token_type": "bearer",
"expires_in": 3600,
"scope": "match:read profile:write"
}POST
/v1/auth/refreshRenouvelle un access_token expiré
Requête
{
"refresh_token": "eyJ..."
}Réponse
{
"access_token": "eyJ...",
"refresh_token": "eyJ...",
"token_type": "bearer",
"expires_in": 3600
}POST
/v1/auth/revokeRévoque un token immédiatement
Requête
{
"token": "eyJ..."
}Réponse
{
"message": "Token révoqué."
}POST
/v1/sandbox/keysCrée une nouvelle clé API (self-service)
Requête
{
"name": "Plateforme partenaire",
"email": "dev@partenaire.com",
"scopes": [
"match:read",
"profile:write",
"trust:read",
"jobs:write",
"jobs:read",
"diffusion:write"
],
"quota_plan": "free"
}Réponse
{
"client_id": "sk_sandbox_8f2a1c9e0b4d",
"client_secret": "9c1e7f2a4b8d0e6f1a3c5b7d9e0f2a4c",
"scopes": [
"match:read",
"profile:write",
"trust:read",
"jobs:write",
"jobs:read",
"diffusion:write"
],
"quota_plan": "free"
}DELETE
/v1/sandbox/keys/{client_id}Révoque définitivement une clé
Réponse
204 No ContentGET
/.well-known/jwks.jsonClé publique RS256 pour valider les tokens côté client
Réponse
{
"keys": [
{
"kid": "karaba-sandbox-001",
"kty": "RSA",
"use": "sig",
"n": "...",
"e": "AQAB"
}
]
}