# Authentication Operations

Invoke the Authentication API to generate, refresh, and revoke access tokens.  An access token is required to perform any authorized API operation.

## Request/Refresh an access token.

 - [POST /auth/token](https://api.tenovos.com/openapi/v1/authentication-operations/getauthtoken.md): Use this operation to request an access token to perform other API operations that require authorization.


The authentication response includes an accessToken which is used as the AccessToken request header when performing any authenticated operation.

This operation will also accept the previous authentication response as the request payload to return a refreshed access token.  The access token expires after 1 hour and must be refreshed after expiration, using the included refreshToken.  The refresh token can be used for up to 30 days to request new access tokens, or until the refresh token is revoked.  Once the refresh token expires or is revoked, the user credentials must be provided again to generate a new access token and refresh token.

## Expire an access token.

 - [DELETE /auth/token](https://api.tenovos.com/openapi/v1/authentication-operations/expiretoken.md): Expire an access token before the token's expiration date and revoke access to the system.

Access tokens normally expire within an hour.  This operation expires an access token upon request so that the token may no longer be used for future operations.

The Request Body must be a JSON object.  
The following parameters are required to expire the access token:

{  
  "endpointUrl": "URL",  
  "clientId": "string",  
  "userPoolId": "string",
  "username": "string",
  "password": "string",
  "session":
  {
    "accessToken": "string",
    "refreshToken": "string",
    "authorization": "string"
  }
}

## Impersonate a given user. (deprecated)

 - [POST /auth/impersonate](https://api.tenovos.com/openapi/v1/authentication-operations/impersonate.md): Use this operation to request an access token to perform other API operations that require authorization.

The authentication response includes an accessToken which is used as the AccessToken request header when performing any authenticated operation.

This operation will also accept the previous authentication response as the request payload to return a refreshed access token.  The access token expires after 1 hour and must be refreshed after expiration, using the included refreshToken.  The refresh token can be used for up to 30 days to request new access tokens, or until the refresh token is revoked.  Once the refresh token expires or is revoked, the user credentials must be provided again to generate a new access token and refresh token.