# Authentication These endpoint allow you to create and manage access tokens to be used in API calls. Unlike most other endpoints, when creating an access token, these do not require an access token to be used. Instead you authenticate via another secure mechanism and in exchange you retrieve an access token. ## Password Authentication - [POST /auth/token/password](https://test-docs.discovery-staging.verifiable.com/references/development/deprecated/api/authentication/passwordauth.md): Endpoint for authentication using an email and password for a user already registered at Verifiable. In return you will receive an access token that can be used in the following API calls. Note: The account may require a password change for successful authentication. If password change is required and newPassword is not set the server returns 409 Conflict. If newPassword is set but the current password is not correct the server returns 403 Forbidden. Note: If newPassword is set it must be different than the current password. If the password is the same the server returns 400 Bad Request. Note: When newPassword is set and the request returns 200 Ok, all the active access tokens will be invalidated. ## Resets a password - [POST /auth/password/reset](https://test-docs.discovery-staging.verifiable.com/references/development/deprecated/api/authentication/passwordreset.md): Endpoint for changing a password using a token. ## Requests a password reset - [POST /auth/password/requestreset](https://test-docs.discovery-staging.verifiable.com/references/development/deprecated/api/authentication/requestpasswordreset.md): Endpoint for requesting a password reset. If the e-mail sent in the body of this request has an account associated with it, a message with a link for changing the password will be sent to it. ## Google Authentication - [POST /auth/token/google](https://test-docs.discovery-staging.verifiable.com/references/development/deprecated/api/authentication/googleauth.md): It is possible to use Google Sign-In for authentication with the Verifiable API. In order to do so we follow the Google Sign-In for server-side apps flow. In order to use this flow you must use the client ID from Verifiable when signing in to Google and send the authorization code as payload to this endpoint. In return you will receive an access token that can be used in the following API calls. The email address of the user must already be registered at Verifiable. ## List active access tokens - [GET /auth/token](https://test-docs.discovery-staging.verifiable.com/references/development/deprecated/api/authentication/listactiveaccesstokens.md): Returns all access tokens for the current user that are neither expired, nor invalidated. ## Invalidate an access token - [POST /auth/token/{tokenId}/invalidate](https://test-docs.discovery-staging.verifiable.com/references/development/deprecated/api/authentication/invalidateaccesstoken.md): Invalidates an access token so that it can no longer be used. ## Invalidate multiple access tokens - [POST /auth/token/invalidate](https://test-docs.discovery-staging.verifiable.com/references/development/deprecated/api/authentication/invalidateaccesstokens.md): Invalidates multiple access tokens that belongs to the user making the request so they can no longer be used. ## OAuth Authentication - [POST /auth/oauth/token](https://test-docs.discovery-staging.verifiable.com/references/development/deprecated/api/authentication/oauthtoken.md): It is possible to use the OAuth Client Credentials flow to authenticate with the Verifiable API. In order to use this flow, you must use the client ID and a client secret from Verifiable. You must send the client credentials along with the grant type client_credentials in a URL-encoded format.