1. /Authentication
  2. /Overview


The Navigraph API is a REST API with base address The API provides a set of endpoints each with its own unique path. To access the endpoints an application must get the user’s permission to access the data included in the users subscription on the users behalf. This is made possible using OpenID Connect (OIDC) for authentication and authorization. A complete reference to the authentication scheme can be found in the OpenID Connect Core 1.0 incorporating errata set 1.

Access Token And Refresh TokenRead the “Access Token And Refresh Token” section

All supported authentication flows has the same goal, to retrieve an Access Token and a Refresh Token. The Access Token needs to sit in the headers of your requests towards our API:s in order to get a successful HTTP 200 OK response. Without a valid access-token our servers will respond to your requests with HTTP 401 UNAUTHORIZED.

Token LifetimeRead the “Token Lifetime” section

The access-token has a limited lifetime of about 60 minutes, when it expires you need to fetch a new token from our servers. You do this with a simple call to our token-endpoint where you provide the refresh-token in return for three new tokens. Notice that the refresh-token is long-lived, it is therefore recommended to use it the next time your user starts your application to retrieve tokens to avoid having the user manually login again. The access-token and id-token are following the JSON Web Token (JWT) specification and are basically Base64-encoded JSON-objects.

Authentication FlowsRead the “Authentication Flows” section

The flows that we are currently supporting are Authorization Code With PKCE and Device Authorization Flow.