Skip to content

Authentication

The MaxConf API uses Microsoft Entra ID (Azure AD) OAuth2.0 client credentials flow. Consumers authenticate by requesting an access token from the Microsoft identity platform, then pass it as a Bearer token on subsequent API requests.

sequenceDiagram
    participant Consumer as API Consumer
    participant Entra as Microsoft Entra ID
    participant APIM as API Management
    participant FA as Function App

    Consumer->>Entra: POST /oauth2/v2.0/token<br/>(client_id, client_secret, scope)
    Entra-->>Consumer: access_token (JWT, expires_in: 3599)
    Consumer->>APIM: GET /room/create<br/>Authorization: Bearer {token}
    APIM->>APIM: Validate JWT signature & claims
    APIM->>FA: Forward request
    FA-->>Consumer: 200 OK (room details)

All environments use the same Microsoft Entra ID tenant:

POST https://login.microsoftonline.com/953fc14a-00c7-4452-a2fb-0a73070de7f3/oauth2/v2.0/token
ParameterValue
grant_typeclient_credentials
client_idService principal Application (client) ID
client_secretCurrent client secret value
scopeapi://{client_id}/.default
EnvironmentApplication (Client) ID
Test/Edge (DEV, DEV2, SIT)d802c929-6984-48f9-81d1-ff8770c65bde
Test (QA, PREPROD, Test)9f0c40e1-6c03-40c1-8035-78bfcd8fed1b
Productiona154a158-92d0-4d3c-a756-95d811001574
Terminal window
curl -X POST \
"https://login.microsoftonline.com/953fc14a-00c7-4452-a2fb-0a73070de7f3/oauth2/v2.0/token" \
-H "Content-Type: application/x-www-form-urlencoded" \
-d "grant_type=client_credentials" \
-d "client_id=d802c929-6984-48f9-81d1-ff8770c65bde" \
-d "client_secret={SECRET_VALUE}" \
-d "scope=api://d802c929-6984-48f9-81d1-ff8770c65bde/.default"
{
"token_type": "Bearer",
"expires_in": 3599,
"ext_expires_in": 3599,
"access_token": "eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIs..."
}

The expires_in value of 3599 seconds means the token is valid for approximately 1 hour. Consumers should cache the token and request a new one only when the current token is expired or about to expire.

Include the access token in the Authorization header of every API request:

Authorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIs...

The following endpoints do not require OAuth2.0 authentication:

EndpointAuthentication
GET /public/room/{room_name}x-auth-token header (Genesys Cloud bearer token)
POST /public/event_sinkHTTP Basic (eventsink credentials)
GET /public/healthNone

These endpoints are separated into the /public prefix and use alternative authentication mechanisms appropriate to their consumers (Genesys Cloud widgets and Pexip event hooks).