Authentication for the Consumer API is based on the concept of OAuth Access Tokens and OpenID Connect Identity Tokens.

See the Authentication Framework docs for details that apply to all authentication schemes.

Permissions and Scope Enforcement

  • API endpoints are protected by an OAuth / OpenID Connect scope as part of the Permissions Flow.

  • The OAuth / OpenID Connect scope required for a specific API endpoint can be found in the endpoint’s definition in the API Reference.


The GET ​/users​/{userId} endpoint requires the scope to be requested, as defined in the API Reference.

Permission must be granted as defined in the Permissions Flow to access the endpoint and successfully receive data.

Scope Example in API Reference