Authorization Overview
This section describes the standard authorization model used by Mavryx backend services.
Authentication Method
Mavryx APIs use Bearer access tokens issued by the IAM service. Clients must authenticate against IAM first and then send the returned token in the Authorization header:
Authorization: Bearer <access_token>
Token Acquisition
Machine-to-machine integrations typically use the OAuth 2.0 client_credentials grant.
Example token request:
curl -X POST 'https://iam.mavryx.emartsynergia.com/oauth2/token' \
-H 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'grant_type=client_credentials' \
--data-urlencode 'client_id=YOUR_CLIENT_ID' \
--data-urlencode 'client_secret=YOUR_CLIENT_SECRET'
Example response:
{
"access_token": "eyJ...",
"token_type": "Bearer",
"expires_in": 900
}
Use the access_token value in subsequent API calls.
IAM OpenAPI
IAM OpenAPI documentation is available at:
- Swagger UI:
https://iam.mavryx.docker/api/doc - OpenAPI JSON:
https://iam.mavryx.docker/api/doc.json
Validation Rules
Protected services validate that the token:
- is provided in the
Authorization: Bearer ...header - is a valid JWT issued by the configured IAM instance
- is an access token
- targets the expected audience for the service
- contains the permissions required by the specific endpoint
Permissions
Authorization is permission-based. A valid token is not sufficient on its own if the IAM client lacks the required permission for an endpoint.
Example:
POST /mhra/vista-importrequiressubmissions-tool.vista-import.create
If the token is valid but the permission is missing, the API returns 403 Forbidden.
Common Failure Modes
401 Unauthorized
- the
Authorizationheader is missing - the token is invalid or expired
- the token was not issued by the expected IAM instance
403 Forbidden
- the token is valid, but the client does not have the permission required by the endpoint