Versions Compared


  • This line was added.
  • This line was removed.
  • Formatting was changed.



In order to use any secure the Hobson REST API resources, you need a valid bearer valid access token. This is generated by the Login User resource. You will find a "token" attribute in the JSON response of a successful login call. The returned token is a standard  is needed. This access token must be included in every REST API call via the HTTP "Authorization" header:

Authorization: Bearer <access_token>

If the header is not present or the token is invalid, Hobson will return an error.

The access token itself is a JSON Web Token (JWT) and will look something like this:


Using a Token

You must pass a valid token to all secure REST API resources or you will get a 401 error response. To do that, add the HTTP Authorization header with the Bearer schema in your API request. For example:


Obtaining an access token

An access token can be obtained from the Hobson hub using the OAuth 2 resource owner password credentials flow.

The flow is executed by performing a POST to the http://localhost:8182/token endpoint (where localhost is substituted with your hub's hostname or IP address). The following 3 attributes should be included in the POST body using standard HTTP form encoding:

  • grant_type=password
  • username=<username>
  • password=<password>

Note that the value of username and password should be requested from the user on a login form of some sort.

If Hobson can successfully authenticate the user via the credentials provided, it will return a JSON document with an both an ID token (used to provide details about the user) and an access token (used as indicated above for REST API calls).


The following is an example cURL call that can be used to obtain an access token (assuming that local/local is a valid username/password combination):

curl -v -d 'username=local' -d 'password=local' -d 'grant_type=password' http://localhost:8182/token