An access token can be generated by providing a refresh token. The generated token then can be used as an authentication token to access resources for up to 8 hours.

The Client will need to provide a JWS, its payload containing Program UID as sub (subject) and current Epoch time as iat (issued at timestamp), signed by an HMAC that has been shared offline previously using HS512. See the above guide for more details.

When Newline processes the POST /auth request, it validates that the iat claim is current. A 30-second difference is allowed to account for clock skew. Nevertheless, it is important that the refresh token be submitted as quickly as possible after it is generated to avoid failure in receiving an access token. Note that the returned access token is a valid JWS following auth- and the whole value (auth-header.payload.signature) must be provided in the Authorization header when making requests to other endpoints.