Jiko uses OAuth 2.0 for API authentication. There are two flows depending on your use case:
| Flow | Use Case | Client Setup |
|---|---|---|
| Authorization Code | User-facing apps that need to act on behalf of users | Self-service via Settings page |
| Client Credentials | Machine-to-machine, backend services | Contact Jiko support |
All clients authenticate using Private Key JWT - you sign a JWT with your private key, and Jiko verifies it with your public key. No shared secrets.
You can register your public key in the Settings page of the Jiko authentication portal.
| Extension | Purpose |
|---|---|
| PKCE | Protects authorization codes from interception (required) |
| DPoP | Binds tokens to your client so stolen tokens are useless (optional) |
- Access tokens: 15 minutes
- Refresh tokens: 90 days (Authorization Code Flow only)
See Refresh Tokens for how to get new access tokens without re-authenticating.
See Scopes for available permissions.