Call the /login/token endpoint to request a token with the API scopes needed for configuration. When configuring Basic authorization for this call, use your OIDC configuration client ID as the username and the OIDC configuration client secret as the password.

It’s a good idea to create at least one extra configuration token policy, even if the token lifetimes and allowed scopes are identical to the configuration token policy issued by ​Akamai​. Why? Well, suppose you accidentally delete your configuration token policy. (It can happen.) If you do that you’ll no longer have access to the OpenID Connect Configuration APIs, which makes it impossible to manage Hosted Login.

📘

Couldn’t you just create a new configuration token policy? Well, you could, except that creating a new token policy requires you to have a configuration access token, and there’s no way for you to get a configuration access token unless you already have a configuration token policy.

Request template

curl -X POST \
  https://v1.api.<region>.janrain.com/<customer-id>/login/token \
   -H 'Authorization: Basic <Base64-encoded-client_id:client_secret>' \
   -F 'grant_type=client_credentials' \
   -F 'scope=<allowed-config-endpoints>'

Example request

curl -X POST \
  https://v1.api.us.janrain.com/12345678-1234-1234-1234-123456789012/login/token \
  -H 'Authorization: Basic N2JhNTE2NjEtMWE3ZS0...1BVU1vbGdRRUVLQlpwdlRB' \
  -F 'grant_type=client_credentials' \
  -F 'scope=*:config/**'

Example response

{
    "access_token": "abc1deA2BfgCDEFhGiHjIJKkL3l4MmnNopOPqQR-Srst-5T6UuvV7WXw8YZx9y0A",
    "expires_in": 3600,
    "token_type": "Bearer",
    "scope": "*:config/**"
}

The scope in this example allows full read/write access to all Hosted Login endpoints for your Customer ID. If you want to limit the scope to a specific endpoint or subset of endpoints, and/or you want to allow only certain actions on those endpoints, you can adjust this value accordingly. Scope formatting is documented here.

Scope examples