An authorization token is a secure, encoded string issued after successful authentication, representing the user’s or system’s identity and permissions.
It’s used to grant access to authorized customer number(s) or services within an Enterprise API.
Once the token is issued, it is included in each request to prove that the client has the necessary authorization to retrieve the specific data of defined customers.
Tokens are commonly JSON Web Tokens (JWT), which consist of three parts:
Header: Contains metadata about the token (e.g., the type of token and the algorithm used for signing).
Payload: Holds claims or information about the user and their permissions.
Signature: Used to verify the token’s authenticity and ensure it hasn’t been tampered with.
Authorization tokens are generated by an authentication server after a user successfully authenticates (Auth 2.0 Client Credentials Flow).
The server encodes the user’s identity and permissions into a token, which is then returned to the client.
This token must be included in API requests as a proof of authorization.
Here’s a breakdown of the fields in your token and what they represent.
The token requester is sometimes called the client.
{
"exp": 1725894657,
"iat": 1725894357,
"jti": "5e11fde3-f097-333a-8688-901ab8a449vv",
"iss": "https://my.dkv-mobility.com/auth/realms/enterprise-api",
"sub": "1230d38-59ac-446f-96a4-ebf0ad0bd515",
"typ": "Bearer",
"azp": "Test1",
"scope": "openid",
"AUTHORIZED_CUSTOMER_NRS": [
"0000111111",
"0000222222"
],
"MAIN_COMPANY_NAME": "DKV EURO SERVICE GmbH + Co. KG",
"clientId": "Test1",
"clientHost": "xxx.xxx.xxx.xx",
"TECHNICAL_USER_API_ROLES": [
"passages",
"transactions",
"fuelcardinformation",
"obuinformation",
"olaservice"
],
"TECHNICAL_USERNAME": "TEST User",
"CONTACT_EMAIL": "max.mustermann@step.com",
"MOB_NUMBER": "0049157834561",
"TECHNICAL_USER_PRODUCT": [
"DKV_EREPORTING_PREMIUM",
"DKV_EREPORTING"
],
"MAIN_CUSTOMER_NO": "0000111111",
"clientAddress": "xxx.xxx.xxx.xx",
"client_id": "Test1"
}Token Fields Explained:
exp (Expiration Time): This is a Unix timestamp indicating when the token will expire. After this time, the token will no longer be valid (e.g., 1725894657).
iat (Issued At): The Unix timestamp for when the token was created or issued.
jti (JWT ID): A unique identifier for the token
iss (Issuer): Identifies the issuer of the token, in this case, the URL of the authentication server (https://my.dkv-mobility.com/auth/realms/enterprise-api).
sub (Subject): Refers to the unique identifier of the user that the token is for (e.g., “1230d38-59ac-446f-96a4-ebf0ad0bd515”).
typ (Type): Indicates the type of token (“Bearer”) that are used for API authorization.
azp (Authorized Party): Identifies the client application that this token is intended for (e.g., “Test1”).
scope: Defines the scope of access granted by the token (e.g., “openid”).
AUTHORIZED_CUSTOMER_NRS: A list of customer numbers authorized to use this token, associated with the user
These numbers are verified when processing requests to ensure that the token holder has access to specific customer resources (e.g., “0000111111”, “0000222222”).
MAIN_COMPANY_NAME: The name of the main company associated with this token (e.g., “DKV EURO SERVICE GmbH + Co. KG”).
clientId: Identifies the client that is making the request (e.g., “Test1”).
clientHost: The IP address of the client making the request (e.g., “xxx.xxx.xxx.xx”).
TECHNICAL_USER_API_ROLES: A list of API roles that define what services the token holder is authorized to perform (e.g., “passages”, “transactions”, “fuelcardinformation”, “olaservice”).
Currently only olaservice changes whether it is enabled or disabled for API user.
All other services remain the same and permitted for all API users.__
TECHNICAL_USERNAME: The username of the technical user associated with the token requestor(e.g., “TEST User”).
CONTACT_EMAIL: The contact email address associated with the token requestor (e.g., “max.mustermann@step.com”).
MOB_NUMBER: The mobile phone number of the user (e.g., “0049157834561”).
TECHNICAL_USER_PRODUCT: A list of product cathegories that the technical user has access to (e.g., “DKV_EREPORTING_PREMIUM”, “DKV_EREPORTING”). Currently it’s a constant value.
MAIN_CUSTOMER_NO: The main customer number associated with the token requestor (e.g., “0000111111”).
clientAddress: The IP address of the client machine sending the request.
client_id: Another identifier for the client application making the request (e.g., “Test1”).