Skip to main content

How-To Guides

Making an Authenticated API Request

Authentication tokens can be obtained from the internal HMPPS OAuth server, HMPPS Auth, using Client Credentials Flow. Specific credentials for accessing an integration service are supplied by the ‘HMPPS Auth, Audit and Registers’ team. The client should be configured with the correct scopes and authorities for accessing the API endpoints provided by the integration service and these will then be present in the supplied JWT.

# Client credentials - supplied by 'HMPPS Auth, Audit and Registers' team
CLIENT_ID=<hmpps-auth-client-id>
CLIENT_SECRET=<hmpps-auth-client-secret>

# Request a JWT access token
AUTH_TOKEN=$(
    curl -s --location \
        --request POST "https://sign-in.hmpps.service.justice.gov.uk/auth/oauth/token?grant_type=client_credentials" \
        --user "$CLIENT_ID:$CLIENT_SECRET" |
        jq -r .access_token
)

# Inspect the JWT and ensure scopes and authorities are correct
jwt decode $AUTH_TOKEN

To make a request to the API submit a GET request to an endpoint in the integration service, supplying the JWT access token as a bearer token in an Authorization header.

curl -s --location https://<integration-service-name>.hmpps.service.justice.gov.uk/case-details/X633793/1 \
        --header "Authorization: Bearer $AUTH_TOKEN"