Cengel Pass
Cengel Pass Developer Portal

API Endpoints

Complete reference for all OAuth and OpenID Connect endpoints.

Authorization Endpoint

GET 
/api/v2/oauth/authorize

Query Parameters

Parameter Type Required Description
response_type string Yes Must be "code"
client_id string Yes Your application's client ID
redirect_uri string Yes Must match a registered redirect URI exactly
scope string No Space-separated list of scopes (defaults to "openid")
state string Recommended Random string for CSRF protection
nonce string Recommended Random string for replay attack prevention (OpenID Connect)

Response

Cengel Pass redirects to your redirect_uri with:

?code=AUTHORIZATION_CODE&state=YOUR_STATE

Or on error:

?error=ERROR_CODE&error_description=DESCRIPTION&state=YOUR_STATE
Error Response Codes
Error Code Type Description
invalid_request string Request is missing a required parameter, includes an invalid parameter value, includes a parameter more than once, or is otherwise malformed
unauthorized_client string Client is not authorized to use this authorization flow
access_denied string The resource owner or authorization server denied the request
invalid_scope string The requested scope is invalid, unknown, or malformed
server_error string The authorization server encountered an unexpected condition that prevented it from fulfilling the request
temporarily_unavailable string The authorization server is currently unable to handle the request due to a temporary overloading or maintenance of the server

Token Endpoint

POST 
/api/v2/oauth/token

Request Body (JSON)

{
  "grant_type": "authorization_code",
  "code": "AUTHORIZATION_CODE",
  "client_id": "YOUR_CLIENT_ID",
  "client_secret": "YOUR_CLIENT_SECRET",
  "redirect_uri": "YOUR_REDIRECT_URI"
}
Request Body Fields
Field Type Required Description
grant_type string Yes Must be "authorization_code"
code string Yes Authorization code from the authorization endpoint
client_id string Yes Your application's client ID
client_secret string Yes Your application's client secret
redirect_uri string Yes Must match the redirect_uri used in the authorization request

Response

The API returns 200 OK with:

{
  "access_token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...",
  "token_type": "Bearer",
  "expires_in": 1800,
  "refresh_token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...",
  "id_token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9..."
}
Response Fields
Field Type Status Description
access_token string Required JWT token for API access (expires in 30 minutes)
token_type string Required Always "Bearer"
expires_in number Required Access token lifetime in seconds (1800 = 30 minutes)
refresh_token string Required JWT token for obtaining new access tokens (expires in 7 days)
id_token string Required JWT containing user identity information (OpenID Connect)

Refresh Token Request

{
  "grant_type": "refresh_token",
  "refresh_token": "YOUR_REFRESH_TOKEN",
  "client_id": "YOUR_CLIENT_ID",
  "client_secret": "YOUR_CLIENT_SECRET"
}

UserInfo Endpoint

GET 
/api/v2/oauth/userinfo

Headers

Authorization: Bearer YOUR_ACCESS_TOKEN

Response

The API returns a response structure that depends on the granted scopes. See the User Info section for details.