Skip to main content

Access tokens

After finding a service endpoint to interact with, it's time to request an access token. You can request one via your own Nuts node:

POST /internal/auth/v2/my_subject_identifier/request-service-access-token

{
  "authorization_server": "https://example.com/oauth2/other_subject_identifier",
  "scope": "coffee",
  "token_type": "Bearer",
  "credentials": [...]
}

  • The authorization_server parameter is taken from the authServerURL registration parameter from the search result.
  • The scope is determined by the use case.
  • The token_type by default is DPoP, you can also choose for Bearer.
  • You can pass additional holder credentials via credentials. This is a way to embed user identity tokens.

The scope is mapped by a policy file to a presentation definition. Policy files are provided by the use case. If your wallet contains the correct credentials according to the presentation definition, an access token will be given:

{
  "access_token": "ciOiJSUzI1NiIsInR5cCI6Ikp",
  "token_type": "Bearer",
  "expires_in": 3600,
}

The access_token can then be put in the HTTP Authorization header.