---
title: Tutorial - Sensedia API Platform authorizing publishers
description: How to use Sensedia API Platform to authorize publishers.
documentId: tutorial-auth
locale: en-US
---

The Events Hub allows you to use an external server to validate client IDs and/or access tokens of publishers sending requests to the Events Hub.

One option is to use the **Sensedia API Platform** for this validation.

 <Callout type="NOTE" title="NOTE">
**Sensedia API Management v5 clients**: to validate client IDs and/or access tokens of publishers, you must [import the Events Hub authorization API](/docs/events-hub/evh-api-authorization).
 </Callout>

> **Explanation:** Imagine you are organizing an event at a venue. You want only authorized people to enter, so you place a security guard at the entrance to check people's identities. The authorization server works the same way. You select the type of validation you want to perform, and it ensures the validation is enforced.

## How does it work?

On the [Policies](/docs/events-hub/policies) page, you can create security policies to apply to handlers.

> Authorization URL configuration is done by [context](/docs/events-hub/contexts). It is one of the markers of the event publishing URL, formed by: `Base URL` + `context` + `handler` + `topic`.

There are 5 available interceptors, and 4 require the publisher's authorization server to function. They are:

- **Access Token Validation**

- **Client ID Validation**

- **OAuth Validation**

- **JWT Validation**

When selecting any of them, you need to configure the authorization URL on the [Authorizations](/docs/events-hub/authorizations) screen.

## Obtaining the authorization URL with Sensedia API Platform

To use Sensedia API Platform as the validation server for policies:

<Steps>
  <Step>
   Go to **API Design > API Catalog** and search for **API Events Hub Authorization**.
  </Step>
  <Step>
   In **API Events Hub Authorization**, navigate to the **Environments** section.
  </Step>
  <Step>
   Choose the environment you want to configure, click the link icon, and copy the URL.

    - You will need to append the interceptor information, so paste it into a file.
  </Step>
  <Step>
   Go to the **Resources and Operations** section and copy the `POST` path of the interceptor type you will use.
  </Step>
  <Step>
   Append the interceptor path to the end of the environment URL. This will be your authorization URL.
  </Step>
  <Step>
   With the complete URL copied, go to **Events Hub > Authorizations** and find the context to be validated by this authorization.
  </Step>
  <Step>
    Click the add icon, paste the authorization URL, and save.
  </Step>
</Steps>

<Callout type="TIP" title="TIP">
To register a test context for authorization, in the **Environments** section, copy the link of your test environment.
 </Callout>

The **Resources and Operations** section is divided into **OAuth** and **JWT**. Pay attention when copying the path for your URL:

- The authorization URL must be generated respecting the policies applied to the context.

- If you added OAuth Validation interceptors, copy the OAuth path.

- If you added JWT Validation interceptors, copy the JWT path.

Check out how to configure the available interceptors:

<Tabs defaultTab="client">
  <TabList label="client">
    <Tab tabId="client">Client ID Validation</Tab>
    <Tab tabId="token">Access Token Validation</Tab>
    <Tab tabId="oauth">OAuth Validation</Tab>
    <Tab tabId="jwt">JWT Validation</Tab>
  </TabList>
  <TabPanel tabId="client">
        #### Client ID Validation

The **Client ID Validation** interceptor requires a simple client ID validation.

<Callout type="NOTE" title="NOTE">
When registering this interceptor for a policy, you need to define the name to be used for passing the Client ID value (e.g., client_id) and where it will be passed in the request (cookie, header, header or cookie, query param, or any).
 </Callout>

Follow the steps to configure a Client ID Validation:

**In Sensedia API Platform:**

<Steps>
 <Step>
   Go to **Consumers > APPS** and click **+ Create APP**.
  </Step>
  <Step>
   In the **APIS AND PLANS** tab, search for **Events Hub Authorization 1.0** and select it using the **SELECT ALL PLANS** button.
  </Step>
  <Step>
   Click **PUBLISH YOUR APP**.
  </Step>
</Steps>

**In Events Hub:**

<Steps>
 <Step>
 ##### Register the publisher:
        
   - With the APP saved, go to the **Publishers** screen.

   - Hover over the **+** button and click **Import From API Platform**.

   - Find the registered APP and click **SAVE**.

   - Click **ADD ENABLED TOPICS** and link the publisher to the desired topic.

   - Enable the context to be validated by the interceptor by clicking ![New context](https://creative-ball-51b3fc85c0.media.strapiapp.com/icon_view_topics_e993628732.png). If no context is enabled, the validation will not work.
        
 </Step>
<Step>
 #### Access the handler:

 - On the **Handler** screen, find the one registered for this validation.

 - In the **Topics** tab, copy the URL of the context enabled for the Client ID interceptor.
 </Step>
</Steps>

**In Postman:**

<Steps>
  <Step>
   In the `POST` request, paste the URL of your context.
  </Step>
  <Step>
   Insert the client ID parameter in the request header with the name matching the one registered for the policy (e.g., `client_id`) and click **Send**.
  </Step>
  <Step>
   Check if the request was successful in the handler status icon.
  </Step>
</Steps>

</TabPanel>
    <TabPanel tabId="token">
     #### Access Token Validation
The **Access Token Validation** interceptor requires the validation of an access token. It must be obtained using the **OAuth** flow chosen by the publisher.

<Callout type="NOTE" title="NOTE">
When registering this interceptor for a policy, you need to define the name to be used for passing the access token value (e.g., access_token) and where it will be passed in the request (cookie, header, header or cookie, query param, or any).
 </Callout>

Follow the steps to configure an Access Token Validation:

**In Sensedia API Platform:**

<Steps>
 <Step>
  Go to **Consumers > APPS** and click **+ Create APP**.
 </Step>
 <Step>
  In the **APIS AND PLANS** tab, search for **Events Hub Authorization 1.0** and select it using the **SELECT ALL PLANS** button.
 </Step>
 <Step>
  Click **PUBLISH YOUR APP**.
 </Step>
 </Steps>
  </TabPanel>
    <TabPanel tabId="token">

<Callout type="NOTE" title="NOTE">
  If you have an APP with a plan linked to the *Events Hub Authorization 1.0** API, you don't have to do this again.
 </Callout>

**No Postman**

<Steps>
  <Step>
   Generate the access token:

   To get the token, you must make a request to the **OAuth API** deployed on your platform. We will show you how to do this using the **client-credentials** flow.

<Callout type="TIP" title="TIP">
   To understand the other available flows, access the [OAUTH 2.0: access token acquisition flows](https://docs.sensedia.com/en/api-management-guide/Latest/other-info/oauth20.html) documentation.
 </Callout>

    - Make a `POST` request to the `<gateway-url>/oauth/access-token` endpoint.

    - In the header, pass:

      ```
      Authorization: Basic client_id:client_secret
      ```

Example of a header with the `client_id` and the `client_secret` in Base64:
>```
>Authorization : Basic ZjkyMTIxNzMtZTcwNS0zNzNiLWE2OTgtNjE5MjNlMzc4MzU5OjAyYWI1Mjg4LTkyZGItM2FiMy05OWZkLWZhYzRhZjg1N2Q4MQ==
>```

    - In the body, pass the `grant_type` in `x-www-form-urlencoded` format:

      ```
      grant_type=client_credentials
      ```

    - The access token will be returned in the request's body, as in the example below:

```
{
  "access_token": "6c164a82-84a6-3bc4-8122-f777121a4f62",
  "token_type": "access_token",
  "expires_in": 3600
}
```

  </Step>
  <Step>
   Test the policy:

    - Copy your context URL and paste it into `POST`.

    - Insert the access token parameter in the request header, with the same name that you registered for the policy (e.g., `access_token`).

    - Click **Send**.

    - Check if the request was successful in the handler's status icon.
  </Step>
</Steps>
  </TabPanel>
    <TabPanel tabId="oauth">
        #### OAuth Validation
The **OAuth Validation** interceptor requires the validation of `client ID` and `access token`.

If not yet configured, see the topics:

- **Client ID Validation**

- **Access Token Validation**
The client ID and access token values must be passed in the request header.

**Testing the policy in Postman:**

<Steps>
    <Step>
     Copy the URL of your context and paste it into the `POST` request.
    </Step>
    <Step>
     Paste the client ID value into the request header.
    </Step>
    <Step>
     Paste the access token value into the request header.
    </Step>
    <Step>
     Click **Send**.
    </Step>
    <Step>
     Check if the request was successful in the handler status icon.
    </Step>
</Steps>
    </TabPanel>
    <TabPanel tabId="jwt">
     #### JWT Validation
The **JWT Validation** interceptor requires the validation of a JWT token, which must be obtained through the **OAuth JWT** flow.

<Callout type="NOTE" title="NOTE">
When registering this interceptor for a policy, you need to define the name to be used for passing the access token value (e.g., access_token) and where it will be passed in the request (header, default JWT header, or query param).
</Callout>

<Callout type="WARNING" title="WARNING">
For this interceptor to work, you must register the JWT authorization URL of your context on the [Authorizations](/docs/events-hub/authorizations) screen. See how to [obtain the authorization URL using Sensedia API Platform](/docs/events-hub/#obtain-the-authorization-url-using-sensedia-api-platform).
</Callout>

Follow the steps to configure a JWT Validation:

**In Sensedia API Platform:**

<Steps>
    <Step>
     Go to **Consumers > APPS** and click **+ Create APP**.
    </Step>
    <Step>
     In the **APIS AND PLANS** tab, search for **Events Hub Authorization 1.0** and select it using the **SELECT ALL PLANS** button.
    </Step>
    <Step>
     Click **PUBLISH YOUR APP**.
    </Step>
</Steps>

<Callout type="NOTE" title="NOTE">
    If you already have an APP with a plan linked to the **Events Hub Authorization 1.0** API, you do not need to do this again.
</Callout>

**In Postman:**

<Steps>
    <Step>
     Generate the `code`:

     To obtain the token, you need to generate the `code` by making a request to the **OAuth API** deployed on your platform.

        - Make a `POST` request to the endpoint `<gateway-url>/oauth/grant-code`.

        - In the header, pass:

            ```
            Content-Type: application/json
            ```

        - In the body, pass the following information. Remember to replace the example client ID with your APP's client ID.

```json
{
    "client_id": "f9212173-e705-373b-a698-61923e378359",
    "extraInfo": {},
    "redirect_uri": "string",
    "state": "string"
}
```

<Callout type="TIP" title="TIP">
The redirect_uri must be filled with a URL. You can use, for example: "http://test.com".
</Callout>

The response will return the `code` after the `=` sign, as in the example below:

```
{
    "redirect_uri": "string?state=string&code=8748d39f-1d4f-311f-92c6-4b279db1b317"
}
```

</Step>
   <Step>
     With the copied `code`, generate the JWT token:

        - Make a `POST` request to the endpoint `<gateway-url>/oauth/access-token`.

        - In the header, pass:

            ```
            Authorization: Basic client_id:client_secret
            ```

        - In the body, select the `json` format and pass the following information, including the `code` number generated in the previous request:

```
"grant_type": "urn:ietf:params:oauth:grant-type:jwt-bearer"
"code" : "8748d39f-1d4f-311f-92c6-4b279db1b317"
```

        - The JWT token will be returned in the response, as in the example below:

```
{
    "access_token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJsb2NhbGhvc3QiLCJpc3MiOiIxNzIuMTguMC4xIiwic3ViIjoiOWI1Zjc3MWUtNzgyZC0zNTEwLWI2YmEtMzZlOWM2NWJmZDVkIiwiZXhwIjozNjAwLCJpYXQiOjE1Mjg5MTg2MzcsIkFwcDogIjoiRGVtb0FwcCIsIkNvZGU6ICI6IjRlNWIyMTEzLTJkYzYtM2RlNi1iN2ZkLWNkOTYxOTMxZWQyOSIsImxvZ2luIjoidXNlci5sb2dpbiJ9.DVSd_yIKiWqIRpcFUhpB5JT9HMUE4mI5fAcpzs4QOkM",
    "token_type": "access_token",
    "expires_in": 3600
    }
```
</Step>
    <Step>
     Test the policy:

        - Copy the URL of your context and paste it into the `POST` request.

        - Paste the JWT token value into the request header.

        - Click **Send**.

        - Check if the request was successful in the handler status icon.
    </Step>
</Steps>
    </TabPanel>
</Tabs>