Render Login Page

Within your partner portal, users should click the "Viant Authentication" button to begin the authentication process. This will redirect them to Viant’s secure login page.

Steps:

The user enters their Viant-issued username and password.
Upon successful authentication, an authorization code is generated.
This code is automatically sent to the CDP/Data Partner's redirect URI i.e redirect uri?code=authorization_code

Endpoint

GET /v1/oauth2/login?redirect_uri=<CDP's callback uri>&client_id=<client id>

Parameter Name	Description	Required
`client_id`	Unique identifier created by Viant for the CDP/Data partner	Yes
`redirect_uri`	The callback URI endpoint to receive the authorization code	Yes
`state`	Random string to prevent CSRF attacks	Optional
`code_challenge`	PKCE security parameter (43--128 characters)	Optional
`code_challenge_method`	Must be `"plain"` or `"S256"` if `code_challenge` is used	Optional

Note: For PKCE implementation guidance, refer to AWS Cognito documentation.

Exchange Code for JWT Token

Once the user is authenticated and redirected, your app must exchange the authorization code for tokens.

Endpoint

POST v1/oauth2/token

Headers:

Authorization: Basic {base64_encoded_client_id:client_secret}

Request Body:

This endpoint supports both JSON and form-encoded request formats:

Content-Type: application/json

Request Payload:
{
  "grant_type": "authorization_code"
  "code" : "eyJjdHkiOiJKV1Q...",
  "redirect_uri": "CDP's callback uri"
}

Content-Type: application/x-www-form-urlencoded

Request Payload:
grant_type=authorization_code&code=eyJjdHkiOiJKV1Q...&redirect_uri=CDP's callback uri

Successful Response:

{ 
  "access_token" : "eyJraWQiOiJLVk....",
  "expires_in" : 86400,
  "id_token" : "eyJraWQiOi....",
  "token_type" : "Bearer"
}

Parameter Name	Description	Required
`client_id`	Unique identifier provided by Viant	Yes
`client_secret`	Secret provided by Viant	Yes
`code`	Authorization code from login flow	Yes
`redirect_uri`	Must exactly match original redirect URI used	Yes
`code_verifier`	Required only if PKCE was used	Optional

How it works?

After successful authentication, the user is redirected to your specified redirect_uri with an authorization code

Your CDP application extracts the code from the URL
Your application sends this code to this endpoint
The endpoint validates the code and returns the necessary tokens
Your application can then use these tokens to access protected services

Refresh Access Token

Use this endpoint to refresh your access token using the refresh token provided during authentication.

Endpoint: POST /v1/oauth2/token

Headers:

Authorization: Basic {base64_encoded_client_id:client_secret}

Request Body:

Content-Type: application/json

Request Payload:
{
  "grant_type": "refresh_token",
  "refresh_token" : "eyJjdHkiOiJKV1Q..."
}

Content-Type: application/x-www-form-urlencoded

Request Payload:
grant_type=refresh_token&refresh_token=eyJjdHkiOiJKV1Q...

Response (Success):

{ 
  "access_token" : "eyJraWQiOiJLVk....",
  "expires_in" : 86400,
  "id_token" : "eyJraWQiOi....",
  "token_type" : "Bearer"
}

Response (Failure):

{
  "error_description" : "error message",
  "error": "error code"
}