# Authentication

# Basics

Communication with the anybill API is only possible after prior authentication. anybill uses OAuth 2.0 or OpenId Access Tokens for authentication. The identities are managed in an Azure Active Directory B2C. To get an access token you need a client id and a service account with username and password.

# Scopes

The functional areas of the API are secured by scopes. An access token with the requested scopes must be used for the respective functional area. The following scopes currently exist:

User endpoints:

Onboarding endpoints:

# Retrieving an Access Token

To retrieve an access token, an HTTP POST request with the following data must be sent to our OAuth 2.0 endpoint.

URL
https://adanybill.b2clogin.com/ad.anybill.de/oauth2/v2.0/token?p=b2c_1_ropc_vendor (opens new window)

Header
Content-Type: application/x-www-form-urlencoded

Request Body

x-www-form-urlencoded

{
    grant_type: "password"
    username: "<username>"
    password: "<password>"
    client_id: "<your client id>"
    scope: "<your scopes> openid offline_access"
    response_type: "token"
}

Response Body

If authentication is successful, the server outputs the access token as a response in the following format:

{
    "access_token": "*****",
    "token_type": "Bearer",
    "expires_in": 86400,
    "refresh_token": "*****"
}

Example cURL

curl --location 'https://adanybill.b2clogin.com/ad.anybill.de/oauth2/v2.0/token?p=b2c_1_ropc_vendor' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'grant_type=password' \
--data-urlencode 'scope=https://ad.anybill.de/partner-platform/user openid offline_access' \
--data-urlencode 'response_type=token' \
--data-urlencode 'username=<your-username>' \
--data-urlencode 'password=<your-password>' \
--data-urlencode 'client_id=<your-client-id>'

Valid for:

The access_token is valid for 86400 seconds (24 hours). Afterwards it can be refresh using the received refresh token.

# Refresh an Access Token

If the access token expires, the anybill API is going to return an 401 Unauthorized error. To regain access to the API the access token has to be refreshed using the provided refresh token.

URL
https://adanybill.b2clogin.com/ad.anybill.de/oauth2/v2.0/token?p=b2c_1_ropc_vendor (opens new window)

Header
Content-Type: application/x-www-form-urlencoded

Request Body

x-www-form-urlencoded

{
    grant_type: "refresh_token"
    refresh_token: "<your refresh token>"
    client_id: "<your client id>"
    scope: "<your scopes> offline_access"
    response_type: "token"
}

Responde Body

{
    "access_token": "*****",
    "token_type": "Bearer",
    "expires_in": 86400,
    "refresh_token": "*****",
    "refresh_token_expires_in": 1209600
}

Example cURL

curl --location 'https://adanybill.b2clogin.com/ad.anybill.de/oauth2/v2.0/token?p=b2c_1_ropc_vendor' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'grant_type=refresh_token' \
--data-urlencode 'scope=https://ad.anybill.de/partner-platform/user openid offline_access' \
--data-urlencode 'response_type=token' \
--data-urlencode 'client_id=<your-client-id>' \
--data-urlencode 'refresh_token=<your-refresh-token>' 

Valid for:

The refresh token is valid for 90 days. Afterwards the provided credentials have to be used to obtain new token information.