Service Level Authorization

Where applications need to obtain an access_token without user interaction, application should provide a signed JWT (


POST /oauth/token


auth_tokenrequiredStringThe signed JWT
grant_typerequiredStringMust be “jwt-bearer”

Structure of JWT

issrequiredThe issuer of the secret key. Must be ""
audrequiredThe hostname where JWT will be verified
subrequiredThe client_id issued for secret key by SSO Passport
exprequiredThe time window in seconds while token is valid
iatrequiredThe time in seconds from 1 Jan 1970 GMT when JWT is created
pidrequired/optional*The identifier of the user in SSO Passport for whom the access_token to be created. Should be provided for existing user and if prn value is not provided
prnrequired/optional*The email of the user for whom access_token to be created. Should be provided for existing user and if pid value is not provided.

* The following fields must be filed to create (if pid/prn aren’t provided) or update (if pid/prn are provided) an account on the fly. For an account creation all the “required” fields must be presented otherwise non personalized access_token is granted. For account update only new (not empty) field values must be provided.

firstrequired/optionalFirst name
lastrequired/optionalLast name
emailoptionalEmail address
schoolrequired/optionalIdentifier of the school associated with the user. Cannot be updated.
rolerequired/optionalRole of the user
typerequired/optionalUser's type - one of the following values:
“school_admin”, ”teacher ”, ”student”, ”parent”, “contact”
external_idrequired/optionalIdentifier of the user in the external system (SIS/LMS etc). Used as a unique user’s key within school thus forbidding creation of accounts with the same external_id value. External ID is forbidden for update
gradeoptionalGrade of the student (ignored for non “student” user types) - range of values from “-3” to “15”