Guides
Changelog
Start typing to search…
Back to All
added

🔐 New Token Endpoint with Granular API Access

13 days ago

Release Date: June 13, 2025

What’s New?

We’ve introduced improvements to how API access is authorized to enhance security and give customers more precise control over what data and actions their integrations can access.

What Changed?

  • A new token endpoint must now be used to generate access tokens:
    POST https://auth.alvys.com/oauth/token
  • Tokens now include permission scopes (e.g. load:read, trip:create) that define which resources and actions the client is allowed to access
  • Scope-based access enforcement is enabled for tokens generated via the new endpoint — requests without the proper scope will return 403 Forbidden
  • The legacy {tenant_id} token endpoint is deprecated and will be shut down on July 31, 2025
    (tokens from this endpoint do not include scopes and are treated as read-only for now)

How to Request a Token

To request a token, send a POST request to the new endpoint with this JSON body:

{
  "client_id": "YOUR_CLIENT_ID",
  "client_secret": "YOUR_CLIENT_SECRET",
  "audience": "https://api.alvys.com/public/",
  "grant_type": "client_credentials"
}

When including a "scope" field in the token request body, please note:

  • The returned token will always include all scopes that have been granted to your client application, regardless of what you specify in the scope field.
  • Therefore, including a scope field in the request does not override or limit the access defined by your assigned permissions in the issued token.
  • The only functional effect of providing a scope field is that the token request will fail (unauthorized) if you include any scope that has not been granted to your client.
  • If the scope field is omitted, the token will still include all scopes granted to your application.

Endpoints Affected:

  • New (required): POST https://auth.alvys.com/oauth/token
  • 🛑 Later Deprecated: POST /authentication/{tenant_id}/token (to be removed on July 31, 2025)

❗️

Important:

The legacy POST /authentication/{tenant_id}/token token endpoint will be permanently shut down on July 31, 2025.All integrations using this authentication flow must be updated to use the new token endpoint before this date to avoid disruption.