The Nomba Authentication API provides OAuth2-based authentication for accessing all Nomba API endpoints. It supports two authentication methods: Client-Credentials for server-to-server integrations and PKCE (Proof Key for Code Exchange) for client-side applications. Developers obtain HTTP bearer tokens that are used to authorize subsequent API calls across the Nomba platform.
openapi: 3.1.0
info:
title: Nomba Authentication API
description: >-
The Nomba Authentication API provides OAuth2-based authentication for
accessing all Nomba API endpoints. It supports two authentication methods:
Client-Credentials for server-to-server integrations and PKCE (Proof Key
for Code Exchange) for client-side applications. Developers obtain HTTP
bearer tokens that are used to authorize subsequent API calls across the
Nomba platform.
version: '1.0.0'
contact:
name: Nomba Developer Support
url: https://developer.nomba.com
termsOfService: https://nomba.com/terms
externalDocs:
description: Nomba Authentication Documentation
url: https://developer.nomba.com/nomba-api-reference/authenticate/obtain-access-token
servers:
- url: https://api.nomba.com
description: Production Server
- url: https://sandbox.nomba.com
description: Sandbox Server
tags:
- name: Authentication
description: >-
Endpoints for obtaining, refreshing, and revoking OAuth2 access tokens
used to authenticate requests to all Nomba APIs.
paths:
/v1/auth/token/issue:
post:
operationId: obtainAccessToken
summary: Obtain access token
description: >-
Obtains an OAuth2 bearer access token using client credentials. The
returned token must be included in the Authorization header of all
subsequent API requests. Supports both Client-Credentials and PKCE
authentication flows.
tags:
- Authentication
requestBody:
required: true
content:
application/json:
schema:
type: object
required:
- grant_type
- client_id
- client_secret
properties:
grant_type:
type: string
description: >-
The OAuth2 grant type. Use client_credentials for
server-to-server integrations.
enum:
- client_credentials
example: client_credentials
client_id:
type: string
description: >-
The client ID obtained from the Nomba dashboard.
example: your_client_id
client_secret:
type: string
description: >-
The client secret obtained from the Nomba dashboard.
example: your_client_secret
responses:
'200':
description: Access token issued successfully
content:
application/json:
schema:
$ref: '#/components/schemas/TokenResponse'
'400':
description: Invalid request parameters
content:
application/json:
schema:
$ref: '#/components/schemas/ErrorResponse'
'401':
description: Invalid client credentials
content:
application/json:
schema:
$ref: '#/components/schemas/ErrorResponse'
/v1/auth/token/refresh:
post:
operationId: refreshAccessToken
summary: Refresh an expired token
description: >-
Refreshes an expired access token using a previously issued refresh
token. This allows applications to maintain long-lived sessions without
requiring users to re-authenticate.
tags:
- Authentication
requestBody:
required: true
content:
application/json:
schema:
type: object
required:
- grant_type
- refresh_token
properties:
grant_type:
type: string
description: >-
The OAuth2 grant type for token refresh.
enum:
- refresh_token
example: refresh_token
refresh_token:
type: string
description: >-
The refresh token obtained from the initial token issuance.
responses:
'200':
description: Token refreshed successfully
content:
application/json:
schema:
$ref: '#/components/schemas/TokenResponse'
'400':
description: Invalid request parameters
content:
application/json:
schema:
$ref: '#/components/schemas/ErrorResponse'
'401':
description: Invalid or expired refresh token
content:
application/json:
schema:
$ref: '#/components/schemas/ErrorResponse'
/v1/auth/token/revoke:
post:
operationId: revokeAccessToken
summary: Revoke an access token
description: >-
Revokes a previously issued access token, invalidating it for future
use. This is useful when a user logs out or when a token needs to be
invalidated for security reasons.
tags:
- Authentication
security:
- bearerAuth: []
requestBody:
required: true
content:
application/json:
schema:
type: object
required:
- token
properties:
token:
type: string
description: >-
The access token to revoke.
responses:
'200':
description: Token revoked successfully
content:
application/json:
schema:
$ref: '#/components/schemas/SuccessResponse'
'400':
description: Invalid request parameters
content:
application/json:
schema:
$ref: '#/components/schemas/ErrorResponse'
'401':
description: Unauthorized
content:
application/json:
schema:
$ref: '#/components/schemas/ErrorResponse'
components:
securitySchemes:
bearerAuth:
type: http
scheme: bearer
bearerFormat: JWT
description: >-
OAuth2 bearer token obtained from the token issuance endpoint.
schemas:
TokenResponse:
type: object
properties:
code:
type: string
description: >-
Response status code.
example: '00'
description:
type: string
description: >-
Human-readable description of the response.
example: Success
data:
type: object
properties:
access_token:
type: string
description: >-
The OAuth2 bearer token used to authenticate API requests.
refresh_token:
type: string
description: >-
The refresh token that can be used to obtain a new access token.
token_type:
type: string
description: >-
The type of token issued.
example: Bearer
expires_in:
type: integer
description: >-
The number of seconds until the access token expires.
example: 3600
SuccessResponse:
type: object
properties:
code:
type: string
description: >-
Response status code.
example: '00'
description:
type: string
description: >-
Human-readable description of the response.
example: Success
ErrorResponse:
type: object
properties:
code:
type: string
description: >-
Error status code.
description:
type: string
description: >-
Human-readable description of the error.
errors:
type: array
description: >-
List of specific error details.
items:
type: string