GET Authorize/Verify

Verifies whether the caller's bearer token is still valid.

Requirements

  • Permissions:  The caller is not required to have any special permissions.
  • Token scope:  Any valid scope, such as Agent, Certificate, or SSH

Headers

  • Content type: Content-Type:application/json.

  • Token: The bearer access token that you received. For example, Authorization:Bearer 4MyGeneratedBearerTknz==. For more information, see Passing a bearer token in your API calls.

Parameters

None. However, in the request URL, specify vedauth. For example, GET https://tpp.venafi.example/vedauth/Authorize/Verify.

Returns

If the token is still valid, this API call returns HTTP 200 and a confirmation message. Otherwise Authorize/Verify returns a HTTP 401 and the following data:

Response description

Name

Description

HTTP 200

This method returns information about the bearer access token and grant. For valid requests, Authorize/Verify returns a HTTP 200 message; and the following data. All times reflect the VEDAuth server time. The length of time depends on Remote tree settings:

  • access_issued_on: The time that Vedauth issued the access token. Appears in the .NET JavaScriptSerializer or JSON format.
  • access_issued_on_ISO8601: The corresponding issuance time of the access token. Appears in the Universal Time Coordinated (UTC) format, including time zone.
  • access_issued_on_unix_time: The corresponding issuance time of the access token. Appears in the Epoch format.
  • application: Case sensitive. The value must match the Client ID in the API integration. For more information, see Setting up access token authentication.
  • expires: The grant expiration time—not the token expiration time. Appears in the .NET JavaScriptSerializer or JSON format. After this time, you can no longer refresh the token.
  • expires_ISO8601: The corresponding grant expiration time. Appears in the Universal Time Coordinated (UTC) including time zone.
  • expires_unix_time: The corresponding grant expiration time. Appears in the Epoch format. For example, the number of seconds since January 1st, 1970 at UTC.
  • grant_issued_on: The grant authorization time. Appears in the .NET JavaScriptSerializer or JSON format.
  • grant_issued_on_ISO8601: The corresponding grant authorization time. Appears in the Universal Time Coordinated (UTC), including time zone.
  • grant_issued_on_unix_time: The grant authorization time stamp. Appears in the Epoch format.
  • identity: The PrefixedUniversal identifier of the caller that can use the grant.
  • scope: The access token scope that is the authorized range of resources that identity can use.
  • valid_for: The number of seconds that VedAuth issued for this token. For example, 7776000 is 90 days. The value matches expires_in from an Authorize response, such as POST Authorize/OAuth.

HTTP 400

If the response is HTTP 400, a generic error appears with a customized description for this particular endpoint.

  • Error

    • invalid_client: Browser-based authentication is disabled.

    • invalid_request: The client_id is missing or an internal error occurred.

    • invalid_scope: The requested scope is missing, expired, revoked, malformed, or exceeds the scope from the API Integration in the UI.

    • invalid_grant: Details vary based on the Authorize request. Reasons for this error include:

      • The Authorize user ID and password was either invalid or missing.
      • A scope is not allowed for the particular API integration.

      • The device_code from POST Authorize/Device is expired or invalid.

      • The client_id must match the Client ID in the UI API integration.

    • unauthorized_client: The CyberArk user is not authorized for this authorization grant type.

  • Error_description: If available, additional information about how to retry the request.

HTTP 401

If the token is invalid or there are session errors, this API call returns:

  • error: The type of error.
  • error_description: The session error description.

Example: Is the caller's token still valid?

Request

GET https://tpp.venafi.example/vedauth/Authorize/Verify
Authorization:Bearer 4MyGeneratedBearerTknz==

Response

HTTP/1.1 200 Token is valid
{
   "access_issued_on":"/Date(1604956045163)/",
   "access_issued_on_ISO8601":"2020-11-09T21:07:25Z",
   "access_issued_on_unix_time":1604956045,
   "application":"TPP.Auto",
   "expires":"/Date(1636492045163)/",
   "expires_ISO8601":"2021-11-09T21:07:25Z",
   "expires_unix_time":1636492045,
   "grant_issued_on":"/Date(1604956045163)/",
   "grant_issued_on_ISO8601":"2020-11-09T21:07:25Z",
   "grant_issued_on_unix_time":1604956045,
   "identity":"local:{8e1bf110-8ef8-4a53-a6da-d5d29c983451}",
   "scope":"certificate:manage;configuration:manage;security:manage",
   "valid_for":7776000
}