CIAM uses OAuth 2.0 and OpenID Connect (OIDC) for authentication and authorization. This page covers how to authenticate API requests and acquire tokens using each supported grant type.
Authentication methods
CIAM supports two API authentication methods depending on where your code runs.
Server-side authentication
Use server-side authentication for API calls between servers. Acquire an access token with grant_type=client_credentials, then pass it on each request using one of the following formats:
Query parameter:
https://xxx/h5/login/pwd?access_token=eyJhbGciOiJIUzI1NiIs****......fiMzvKNaWAxKfHI-3NGRequest header (bearer token):
Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5......fiMzvKNaWAxKfHI-3NGndKzo_VOZjLoIFor details on the bearer token format, see RFC 6750.
Client-side authentication
Use client-side authentication only for authentication APIs running in browsers, apps, or miniapps. Add the following custom request headers to each call:
idaasSign: hex(sha1.encode(idaasAppId+idaasTimeStamp))
idaasAppId: <your Application ID from the IDaaS console>
idaasTimeStamp: new Date().getTime()Where idaasSign is a hex-encoded SHA-1 signature of your Application ID concatenated with the current timestamp.
Token acquisition
CIAM supports the following grant types. Choose based on your application type:
| Grant type | Use when |
|---|---|
| Client Credentials Grant | Your code runs server-side with no user context (machine-to-machine) |
| Authorization Code Grant | Users log in via a browser and your app has a server-side component |
| Implicit Grant | Your app is a Single-Page Application (SPA) with no server-side component |
| Resource Owner Password Credentials Grant | Your app collects user credentials directly and exchanges them for a token |
| Refresh Token | You have an existing refresh token and need to get a new access token |
Implicit Grant does not return arefresh_token. Client Credentials Grant also does not return arefresh_token.
Scopes
The scope parameter controls what the token can access. Include one or more values, separated by spaces.
| Scope | Use for |
|---|---|
APPLICATION_API | Regular application APIs |
MANAGEMENT_APPLICATION_API | Management application APIs |
USER_API | User-context APIs — required for Authorization Code Grant, Implicit Grant, and Refresh Token flows |
openid | Include when you need an ID token returned |
profile | User profile claims |
email | User email claims |
phone | User phone number claims |
read | Read-only access |
Client Credentials Grant
Gets a bearer token for server-to-server API authorization. No user context is involved and no refresh_token is returned.
Endpoint: POST /api/bff/v1.2/developer/ciam/oauth/token
Content-Type: application/json
Request parameters
| Parameter | Type | Required | Description |
|---|---|---|---|
client_id | string | Yes | Your appKey from IDaaS |
client_secret | string | Yes | Your appSecret from IDaaS |
grant_type | string | Yes | Fixed value: client_credentials |
scope | string | No | Use APPLICATION_API for regular application APIs, or MANAGEMENT_APPLICATION_API for management APIs |
Example request
curl --request POST \
--url 'https://<your-domain>/api/bff/v1.2/developer/ciam/oauth/token' \
--header 'Content-Type: application/json' \
--data '{
"client_id": "<your-appKey>",
"client_secret": "<your-appSecret>",
"grant_type": "client_credentials",
"scope": "APPLICATION_API"
}'Replace the following placeholders:
| Placeholder | Description |
|---|---|
<your-domain> | Your CIAM domain, for example xxxx.login.aliyunidaas.com |
<your-appKey> | The appKey from the IDaaS console application list |
<your-appSecret> | The appSecret from the IDaaS console application list |
Response parameters
| Parameter | Type | Example | Description |
|---|---|---|---|
access_token | string | eyJhbG1N**********ttXBrTNQg | The access token |
token_type | string | bearer | The token type |
expires_in | long | 3600 | Token lifetime in seconds |
scope | string | create | The authorization scope granted |
Authorization Code Grant
Exchanges an authorization code for a user token. Use this when your app redirects users to CIAM for login and receives a code at the callback URL.
Endpoint: POST /api/bff/v1.2/developer/ciam/oauth/token
Content-Type: application/json
Request parameters
| Parameter | Type | Required | Description |
|---|---|---|---|
client_id | string | Yes | Your appKey from IDaaS |
client_secret | string | Yes | Your appSecret from IDaaS |
grant_type | string | Yes | Fixed value: authorization_code |
scope | string | Yes | Must include USER_API. Include openid to receive an ID token. Separate multiple values with a space. |
code | string | Yes | Authorization code received at the callback URL |
redirect_uri | string | Yes | Callback URL registered in the IDaaS application settings |
Example request
curl --request POST \
--url 'https://<your-domain>/api/bff/v1.2/developer/ciam/oauth/token' \
--header 'Content-Type: application/json' \
--data '{
"client_id": "<your-appKey>",
"client_secret": "<your-appSecret>",
"grant_type": "authorization_code",
"scope": "USER_API openid",
"code": "<authorization-code>",
"redirect_uri": "<your-callback-url>"
}'Replace the following placeholders:
| Placeholder | Description |
|---|---|
<your-domain> | Your CIAM domain |
<your-appKey> | The appKey from the IDaaS console |
<your-appSecret> | The appSecret from the IDaaS console |
<authorization-code> | The code received in the callback |
<your-callback-url> | The callback URL registered in IDaaS, for example https://yourapp.example.com/callback |
Response parameters
| Parameter | Type | Example | Description |
|---|---|---|---|
access_token | string | eyJhbG1N**********ttXBrTNQg | The access token |
refresh_token | string | eyJhbG1N**********ttXBrTNQg | Used to refresh the access token |
token_type | string | bearer | The token type |
id_token | string | eyJhbG1NiIsI******ttXBrTNQg | ID token — returned only when scope includes openid |
expires_in | long | 3600 | Token lifetime in seconds |
scope | string | USER_API | The authorization scope granted |
Implicit Grant
Gets a user token directly from the authorization endpoint. Use this for SPAs and other client-side apps with no server-side component.
Implicit Grant does not return a refresh_token.Endpoint: GET /api/bff/v1.2/developer/ciam/oauth/authorize
Request parameters
| Parameter | Type | Required | Description |
|---|---|---|---|
client_id | string | Yes | Your appKey from IDaaS |
response_type | string | Yes | Fixed value: token |
scope | string | Yes | Must include USER_API. Include openid to receive an ID token. Separate multiple values with a space. |
redirect_uri | string | Yes | Callback URL registered in the IDaaS application settings. URL-encode this value. |
state | string | No | A random value used to prevent cross-site request forgery (CSRF). The authorization server returns this value unchanged in the callback. |
Example request
GET {ciam.example.com}/api/bff/v1.2/developer/ciam/oauth/authorize?response_type=token&client_id=KnUPlQlqm
&scope=USER_API%20APPLICATION_API%20read%20openid%20profile%20email&state=123
&redirect_uri=https://xxxxxResponse parameters
| Parameter | Type | Example | Description |
|---|---|---|---|
access_token | string | eyJhbG1NiIsI******ttXBrTNQg | The access token |
token_type | string | bearer | The token type |
id_token | string | eyJhbG1NiIsI******ttXBrTNQg | ID token — returned only when scope includes openid |
expires_in | long | 3600 | Token lifetime in seconds |
scope | string | USER_API | The authorization scope granted |
state | string | xxxx | The state value passed in the request |
Refresh token
Exchanges a refresh token for a new access token. Use this to maintain user sessions without requiring re-authentication.
Endpoint: POST /api/bff/v1.2/developer/ciam/oauth/token
Content-Type: application/json
Request parameters
| Parameter | Type | Required | Description |
|---|---|---|---|
client_id | string | Yes | Your appKey from IDaaS |
client_secret | string | Yes | Your appSecret from IDaaS |
grant_type | string | Yes | Fixed value: refresh_token |
scope | string | Yes | Must include USER_API. Include openid to receive an ID token. Separate multiple values with a space. |
refresh_token | string | Yes | The user's refresh token |
Example request
curl --request POST \
--url 'https://<your-domain>/api/bff/v1.2/developer/ciam/oauth/token' \
--header 'Content-Type: application/json' \
--data '{
"client_id": "<your-appKey>",
"client_secret": "<your-appSecret>",
"grant_type": "refresh_token",
"scope": "USER_API openid",
"refresh_token": "<your-refresh-token>"
}'Response parameters
| Parameter | Type | Example | Description |
|---|---|---|---|
access_token | string | eyJhbG1NiIsI******ttXBrTNQg | The access token |
refresh_token | string | eyJhbG1NiIsI******ttXBrTNQg | The refresh token |
token_type | string | bearer | The token type |
id_token | string | eyJhbG1NiIsI******ttXBrTNQg | ID token — returned only when scope includes openid |
expires_in | long | 3600 | Token lifetime in seconds |
scope | string | USER_API | The authorization scope granted |
OIDC service discovery
Returns OpenID Connect metadata for the CIAM authorization server. Use this endpoint to programmatically configure your OIDC client library.
If you are integrating CIAM with a framework that requires an issuer address (for example, Spring Security), use:
https://<baseUrl>/api/bff/v1.2/developer/ciam/oidc/<idaasAppId>Endpoint: GET /api/bff/v1.2/developer/ciam/oidc/<idaasAppId>/.well-known/openid-configuration
Request parameters
| Parameter | Type | Required | Description |
|---|---|---|---|
idaasAppId | string | Yes | Application ID from the IDaaS console Application Management list |
Example response
{
"issuer": "https://xxxx.login.aliyunidaas.com/api/bff/v1.2/developer/ciam/oidc/idaas_ciam_public_cn_-xxxx",
"authorization_endpoint": "https://xxxx.login.aliyunidaas.com/api/bff/v1.2/developer/ciam/oauth/authorize",
"userinfo_endpoint": "https://xxxx.login.aliyunidaas.com/api/bff/v1.2/developer/ciam/user/profile",
"token_endpoint": "https://xxxx.login.aliyunidaas.com/api/bff/v1.2/developer/ciam/oidc/token",
"jwks_uri": "https://xxxx.login.aliyunidaas.com/api/bff/v1.2/developer/ciam/oidc/idaas_ciam_public_cn_-xxxx/.well-known/jwks.json",
"end_session_endpoint": "https://xxxx.login.aliyunidaas.com/api/bff/v1.2/developer/ciam/user/logout",
"introspection_endpoint": "https://xxxx.login.aliyunidaas.com/api/bff/v1.2/developer/ciam/user/token/check",
"reject_endpoint": "https://xxxx.login.aliyunidaas.com/api/bff/v1.2/developer/ciam/user/oauth/device/reject",
"response_types_supported": ["code", "token", "id_token", "id_token token"],
"request_parameter_supported": true,
"request_uri_parameter_supported": true,
"claims_parameter_supported": true,
"require_request_uri_registration": false,
"grant_types_supported": [
"authorization_code",
"client_credentials",
"refresh_token",
"implicit",
"password",
"urn:ietf:params:oauth:grant-type:device_code"
],
"scopes_supported": [
"APPLICATION_API", "USER_API", "read", "openid", "profile", "email", "phone"
],
"claims_supported": [
"sub", "iss", "aud", "nbf", "nickname", "exp", "iat", "jti",
"nonce", "username", "email", "email_verified",
"phone_number", "phone_number_verified", "externalId", "preferred_username"
],
"subject_types_supported": ["public"],
"id_token_signing_alg_values_supported": ["RS256"],
"token_endpoint_auth_methods_supported": ["client_secret_post"],
"response_modes_supported": ["fragment", "query"]
}Error response
If idaasAppId is invalid or the application has been disabled:
{
"error_description": "[xxx]The application does not exist or has been disabled",
"requestId": "1663756588639$d7da5416-ad73-7230-3f7d-f0bd618804e5",
"error": "invalid_client",
"error_uri": "xxxx/api/bff/v1.2/developer/ciam/oidc/xxx/.well-known/openid-configuration"
}