REST API Authentication


In order to use the Hobson REST API, a valid access token is needed. This access token must be included in every REST API call via the HTTP "Authorization" header:

Authorization: Bearer <access_token>

If the header is not present or the token is invalid, Hobson will return an error.

The access token itself is a JSON Web Token (JWT) and will look something like this:


Obtaining an access token

An access token can be obtained from the Hobson hub using the OAuth 2 resource owner password credentials flow.

The flow is executed by performing a POST to the http://localhost:8182/token endpoint (where localhost is substituted with your hub's hostname or IP address). The following 3 attributes should be included in the POST body using standard HTTP form encoding:

  • grant_type=password
  • username=<username>
  • password=<password>

Note that the value of username and password should be requested from the user on a login form of some sort.

If Hobson can successfully authenticate the user via the credentials provided, it will return a JSON document with an both an ID token (used to provide details about the user) and an access token (used as indicated above for REST API calls).


The following is an example cURL call that can be used to obtain an access token (assuming that admin/password is a valid username/password combination):

curl -v -d 'username=admin' -d 'password=password' -d 'grant_type=password' http://localhost:8182/token