GBG Developers

Guides   |   Authorization


The GBG Identity Solution uses a three-stage process; authentication, authorization and then making verification requests.

The first stage, Authentication, results in an IDP access token being obtained through Single Sign-on or M2M or pre-generated token methods.

This guide covers the second stage, known as Authorization, which results in the IDP access token being exchanged for a GBG access token. If you're using an Android, iOS or Web SDK then there will be a function call you can use to perform the Authorization. If you're using the API, then a HTTP POST request is used.

The Stage 2 table below shows the content that needs to be sent in the HTTP POST request. Note that everything is to be hard-coded as shown, except the italic content which is the IDP access token.

Here's an example using PostMan:

The 200 OK response contains the GBG access token, in the access_token field as shown in the screenshot above.

Here's more detail on the Authorization request and response; as mentioned earlier, everything is hard-coded as shown (no secrets are sent, just the text 'secret'), the only thing that is not hard-coded is the IDP Access Token which is sent in the id_token field:

You can now proceed to use the GBG access token (received in the access_token field) for any number of verification requests, until the token expires.