Authentication

Before you can make requests to the azakaw API, you need to obtain an authentication token. This token must be included in all subsequent requests.

Getting an Access Token

POST {auth_base_url}/api/AppSessionManager/GetAppToken

Request Body

{
  "appId": "your-app-id",
  "appSecret": "your-app-secret",
  "tenantId": "your-tenant-id"
}

Response

{
  "version": null,
  "statusCode": 200,
  "messages": [
    "Processed successfully"
  ],
  "result": {
    "token": "eyJhbGciOiJIUzI1NiIs..."
  }
}

SDK / Web flows

For SDK and Web flows where AppSecret cannot be exposed to the browser — currently the Liveness SDK — use the Standalone Session flow instead of GetAppToken. Your backend obtains a sessionId, hands it to the browser, and the browser swaps it for the JWT at runtime.

Using the Token

Include the token in the Authorization header of all subsequent requests:

Authorization: Bearer your-token-here

Token Expiration

Tokens are valid for 24 hours
Store tokens securely and never expose them in client-side code

Security Best Practices

Token Storage

Store tokens in secure server-side storage
Never store tokens in client-side storage (localStorage, sessionStorage)
For browser flows, prefer the Standalone Session pattern so AppSecret never reaches the browser.

Getting an Access Token​

Request Body​

Response​

SDK / Web flows​

Using the Token​

Token Expiration​

Security Best Practices​

Token Storage​