Authentication
All requests to any AmTrust API must be able to generate and then send an access token with the request. These requests must be made via an SSL encrypted connection and must use HTTP POST.
You must obtain the following from AmTrust:
client_id : This is a supplied credential by AmTrust
client_secret: This is a supplied credential by AmTrust
username: This is only required for identity-based tokens and will be supplied by AmTrust
password: This is only required for identity-based tokens and will be supplied by AmTrust
subscriber_id: This is provided by AmTrust and will be required for all calls, Please see the Calling the API section below
If you do not know any part of your AmTrust security information, please contact our help desk or your support representative before moving forward.
Once these requirements are met, you can obtain an access token. Access tokens are valid for four hours and can be reused within that period. You must obtain another access token after expiration.
Getting a General Access Token
General authorization is for our APIs that do NOT require a user identity. That token is provided by AmTrust’s AuthServer and has a set expiration. Failure to send a token or sending an expired token will result in an Unauthorized response.
To authorize in our UAT environment, issue the following request:
POST /AuthServer_usertest/OpenIdConnect/Token HTTP/1.1 Host: uatauth.amtrustgroup.com Content-Type: application/x-www-form-urlencoded grant_type=client_credentials=<client_id>=<client_secret>=openid profileTo authorize in our Production environment, issue the following request:
POST /AuthServer/OpenIdConnect/Token HTTP/1.1 Host: auth.amtrustgroup.com Content-Type: application/x-www-form-urlencoded grant_type=client_credentials=<client_id>=<client_secret>=openid profileGetting a User Authenticated Token
Some of our API requires an identity-based bearer token to be provided in the header of any request. That token is provided by AmTrust’s AuthServer and has a set expiration. Failure to send a token or sending an expired token will result in an Unauthorized response.
The client_id and client_secret properties will be provided for each environment as you progress through implementation. AmTrust will also provide a username and password for the Test environment only. Your production credentials are managed by AmTrust’s Agency Services group. Our support team CANNOT provide or reset Live credentials under any circumstances.
To authenticate in our UAT environment, issue the following request:
curl -X POST \ https://uatauth.amtrustgroup.com/AuthServer_usertest/OpenIdConnect/Token \ -H 'cache-control: no-cache' \ -H 'content-type: application/x-www-form-urlencoded' \ -d 'grant_type=password=00000000-0000-0000-0000-000000000000=00000000-0000-0000-0000-000000000000=user=pass=openid profile legacy_info legacy_id =token id_token'To authenticate in our Prod environment, issue the following request:
curl -X POST \ https://auth.amtrustgroup.com/AuthServer/OpenIdConnect/Token \ -H 'cache-control: no-cache' \ -H 'content-type: application/x-www-form-urlencoded' \ -d 'grant_type=password=00000000-0000-0000-0000-000000000000=00000000-0000-0000-0000-000000000000=user=pass=openid profile legacy_info legacy_id =token id_token'Authentication Results
If authentication worked, the following response will be received:
{ "token_type": "bearer", "access_token": "EMnbRsDNWyoGUUDOUQwlGVd8l6TXxuR1g05zvL58x7bHMN7kjNyt5FlSmxZyXsw_YvR16ZQlhUj7k_wH30DtorvBVb7MEn9xUdg70Nhp-rk1oiOur-V-fJArh2yKyX_RdFAa42TxpRv...", "expires_in": 14397 }Otherwise, a failure will return a message as to why it failed:
{ "error": "invalid_grant", "error_description": "The username or password is incorrect." }Using the API
Once a bearer access token and subscriber_id have been obtained, All calls must contain this information in the header.
POST /MyApi/api/v1/quotes HTTP/1.1 Host: gateway.amtrustgroup.com Content-Type: application/json Authorization: Bearer <access token> subscriber_id: <subscriber_id>