Service registration

If you have a service (client) that you want to interact with the OpenAIRE APIs you need to register it.

You can register up to 5 services.
We offer two ways of authenticting your service: the Basic Authentication and the Advanced Authentication.

Which one is for me?

How Client Credential Issuer Authentication Method
Basic Client ID & Client Secret OpenAIRE AAI server Client Secret (Basic)
Advanced Private Key signed JWT Service owner Private Key JWT Client Authentication

For the Basic Authentication method the OpenAIRE AAI server generates a pair of Client ID and Client Secret credentials for your service upon its registration. The service sends the client id and client secret when authenticating to the OpenAIRE AAI Server to obtain the access token for the OpenAIRE APIs. The OpenAIRE AAI server checks whether the client id and client secret sent is valid.
Continue reading for the Basic Authentication

For the Advanced Authentication method your service does not send a client secret but it uses a self signed client assertion to authenticate to the OpenAIRE AAI server in order to obtain the access token for the OpenAIRE APIs. The client assertion is a JWT that must be signed with RSASSA using SHA-256 hash algorithm. The OpenAIRE AAI server validates the client assertion using the public key that you have provided upon the service registration.
Continue reading for the Advanced Authentication

The Advanced Authentication method allows the OpenAIRE AAI server to verify that the client authentication request at the token endpoint was signed by your service and not altered in any way. This is more computation intensive compared to the Basic Authentication but it ensures non-repudiation. On the other hand, the Basic Authentication is more lightweight and easy to deploy but it does not provide signature verification, and there is always a possibility of the Client ID/secret credentials being stolen. Note that tThe Advanced authentication method gives a higher level of security to the process as long as it is used correctly, i.e. when the signed JWT has a short duration. When the duration of the JWT is long, the process is no different from the basic one.