Posti API uses OAuth 2.0 to provide authorized access to its services
Posti API uses OAuth 2.0 protocol for authentication and authorization. The OAuth 2.0 is a secure and standard authentication protocol that provides sending authorized requests to the Posti API services.
The authentication flow follows these steps:
NOTE! When using the Posti service account, please make sure not to store secrets (including API
keys,
passwords, authorization tokens, encryption keys, certificates and other credentials) in plain text on
public resources that are accessible to anyone on the Internet, such as public Postman collections or
workspaces, public GitHub repositories and other public resources. Use only private Postman collections
and workspaces, private GitHub repositories, etc. that only authorized users can access.
If your business does not have a Posti service account, contact Posti Customer Service to get one. Note that you also need a contract with Posti.
Replace accountname:secret using Posti service account details which Posti has provided to you.
Example request:
curl -H "Accept: application/json" --user "accountname:secret" https://oauth2.posti.com/oauth/token -d grant_type=client_credentials
Environment | Protocol | Host | Path |
---|---|---|---|
QA | HTTPS | oauth2.barium.posti.com | /oauth/token |
UAT | HTTPS | oauth2.barium.posti.com | /oauth/token |
Prod | HTTPS | oauth2.posti.com | /oauth/token |
Concatenate the username, a colon character ":", and the password into a single string. After that, Base64 encode the single string.
Before your application can access Posti API services, it must obtain an access token that grants access to the services. A single access token can grant access to multiple services where you have authorization.
The value calculated in Step 1 must be exchanged for a access token by making a HTTP POST request to Authorization Server's access token endpoint. The request must include an Authorization header with the value of "Basic <Base64 encoded value from Step 1>". Url parameter grant_type=client_credentials must also be included to the request.
Example request:
POST https://oauth2.posti.com/oauth/token?grant_type=client_credentials Headers: Accept: application/json Authorization: Basic YWNjb3VudG5hbWU6c2VjcmV0 ...
Example response:
{"token_type":"bearer", "access_token": "abc123", "expires_in": 3599}
The access token may be used to issue requests to Posti API endpoints. To use the access token, construct a normal HTTPS request and include an Authorization header with the value of "Bearer <access token value from Step 2>".
Default expiration time is one hour. After that the client application has to request a new access token.
Example request:
GET https://api.posti.fi/estimation/v1/00100/FI/99710/FI/2103?time=2017-10-03T09:00:00.000%2B0300 Headers: Authorization: Bearer abc123 ...
Status | Error | Message | Meaning |
---|---|---|---|
401 | Unauthorized | Bad credentials | Wrong username or password or account is locked for 1 hour after 5 invalid login attempts. |