Documentation/developers/authentication.md

# Authentication

## Overview

TLAS uses OAuth 2.0 with JWT tokens for API authentication.

## Obtaining Credentials

Contact your administrator to receive:
- Client ID
- Client Secret
- Authorized scopes

## Token Request

```http
POST /auth/token HTTP/1.1
Host: api.tlas.gov.in
Content-Type: application/x-www-form-urlencoded

grant_type=client_credentials&
client_id=YOUR_CLIENT_ID&
client_secret=YOUR_CLIENT_SECRET&
scope=applications:read applications:write
```

### Response

```json
{
  "access_token": "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9...",
  "token_type": "Bearer",
  "expires_in": 3600,
  "scope": "applications:read applications:write"
}
```

## Using the Token

Include token in Authorization header:

```http
GET /applications/APP-2026-00001 HTTP/1.1
Host: api.tlas.gov.in
Authorization: Bearer eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9...
```

## Token Refresh

Tokens expire after 1 hour. Request new token before expiry.

## Available Scopes

| Scope | Access |
|-------|--------|
| `applications:read` | View applications |
| `applications:write` | Submit and update applications |
| `documents:read` | View documents |
| `documents:write` | Upload documents |
| `verification:read` | Verify certificates |

## DigiLocker OAuth

For citizen authentication via DigiLocker:

```http
GET /auth/digilocker/authorize?
  redirect_uri=https://yourapp.com/callback&
  state=random_state_value
```

User is redirected to DigiLocker. After consent, user returns with authorization code.

## Error Codes

| Code | Description |
|------|-------------|
| `invalid_client` | Unknown client ID |
| `invalid_grant` | Invalid credentials |
| `invalid_scope` | Requested scope not authorized |
| `expired_token` | Token has expired |
docs: Rebuild documentation as enterprise-grade TLAS platform - Migrate from custom HTTP server to VitePress framework - Rename project to Tokenized License Approval System (TLAS) - Add comprehensive documentation for all stakeholders: - Business: Executive summary, value proposition, governance - Operations: Infrastructure, installation, monitoring, backup - Departments: User guide, workflows, verification, issuance - Developers: API reference, authentication, webhooks, SDKs - Compliance: OWASP, DPDP Act, IT Act, audit framework - Add modern theme with dark mode and full-text search - Update Dockerfile for VitePress build process Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> 2026-02-10 00:05:20 -04:00			`# Authentication`

			`## Overview`

			`TLAS uses OAuth 2.0 with JWT tokens for API authentication.`

			`## Obtaining Credentials`

			`Contact your administrator to receive:`
			`- Client ID`
			`- Client Secret`
			`- Authorized scopes`

			`## Token Request`

			```http
			`POST /auth/token HTTP/1.1`
			`Host: api.tlas.gov.in`
			`Content-Type: application/x-www-form-urlencoded`

			`grant_type=client_credentials&`
			`client_id=YOUR_CLIENT_ID&`
			`client_secret=YOUR_CLIENT_SECRET&`
			`scope=applications:read applications:write`
			```

			`### Response`

			```json
			`{`
			`"access_token": "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9...",`
			`"token_type": "Bearer",`
			`"expires_in": 3600,`
			`"scope": "applications:read applications:write"`
			`}`
			```

			`## Using the Token`

			`Include token in Authorization header:`

			```http
			`GET /applications/APP-2026-00001 HTTP/1.1`
			`Host: api.tlas.gov.in`
			`Authorization: Bearer eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9...`
			```

			`## Token Refresh`

			`Tokens expire after 1 hour. Request new token before expiry.`

			`## Available Scopes`

			`\| Scope \| Access \|`
			`\|-------\|--------\|`
			\| `applications:read` \| View applications \|
			\| `applications:write` \| Submit and update applications \|
			\| `documents:read` \| View documents \|
			\| `documents:write` \| Upload documents \|
			\| `verification:read` \| Verify certificates \|

			`## DigiLocker OAuth`

			`For citizen authentication via DigiLocker:`

			```http
			`GET /auth/digilocker/authorize?`
			`redirect_uri=https://yourapp.com/callback&`
			`state=random_state_value`
			```

			`User is redirected to DigiLocker. After consent, user returns with authorization code.`

			`## Error Codes`

			`\| Code \| Description \|`
			`\|------\|-------------\|`
			\| `invalid_client` \| Unknown client ID \|
			\| `invalid_grant` \| Invalid credentials \|
			\| `invalid_scope` \| Requested scope not authorized \|
			\| `expired_token` \| Token has expired \|