# Authentication

## Overview

Mifundo services use **Keycloak** for authentication. When using service accounts or machine-to-machine authentication, the **Client Credentials Grant** flow is used. This allows systems to authenticate with a `client_id` and `client_secret` and obtain a token without user interaction.

**NB!** `client_id` and `client_secret` should be requested from Mifundo from [support@mifundo.com](mailto:support@mifundo.com).

## Environments

| Environment | Root URL |
|  --- | --- |
| Test | `https://authtest.mifundo.com` |
| Live | `https://auth.mifundo.com` |


## Token Endpoint

Tokens are retrieved by making a POST request to the Keycloak token endpoint:


```
{ROOT_URL}/realms/b2b/protocol/openid-connect/token
```

Replace `{ROOT_URL}` with either the test or live root depending on the environment.

## Request Parameters

| Parameter | Value |
|  --- | --- |
| `grant_type` | `client_credentials` |
| `client_id` | Provided by Mifundo |
| `client_secret` | Provided by Mifundo |


## Example Request (cURL)


```bash
curl -X POST https://authtest.mifundo.com/realms/b2b/protocol/openid-connect/token \
  -H "Content-Type: application/x-www-form-urlencoded" \
  -d "grant_type=client_credentials" \
  -d "client_id=your-client-id" \
  -d "client_secret=your-client-secret"
```

## Example Successful Response


```json
{
  "access_token": "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9...",
  "expires_in": 300,
  "token_type": "Bearer",
  "scope": "openid"
}
```

## Using the Token

Once you obtain the token, include it in the `Authorization` header of your API requests:


```
Authorization: Bearer <access_token>
```

## Try It mode

Select "OAuth 2.0" as Authorization type in the Security when trying it out in "Try it" mode.

1. Use "Client ID" and "Client secret" provided by Mifundo.
2. Access Token URL depends on environment selection:


- For Live system: https://auth.mifundo.com/realms/b2b/protocol/openid-connect/token
- For Test system: https://authtest.mifundo.com/realms/b2b/protocol/openid-connect/token


1. Click "Request token" to retrieve JWT. Token will be stored in browser automatically.


Now you can move on with testing by amending the Body or Path as needed and send the request.

### Example Screenshot

LiveServerCredentials.png
## Notes

- Tokens are usually valid for 5 minutes (`expires_in` = 300).
- Always use HTTPS to protect client credentials.
- Contact Mifundo to obtain or rotate client credentials securely.