---
title: "Authentication"
slug: "authentication-1"
updated: 2023-12-04T12:30:52Z
published: 2023-12-04T12:30:52Z
---

> ## Documentation Index
> Fetch the complete documentation index at: https://docs.plainid.io/llms.txt
> Use this file to discover all available pages before exploring further.

# Authentication

## General

Authentication to use the PlainID Policy Decision Point APIs can be done by passing the ClientID and ClientSecret in the following methods:

1. As part of the REST API Request Body.
2. As part of the REST API Request Header.
3. As part of a valid JWT that can be verified using the JWT Issuer's JWKS URL.

### Using the Authorization Request Body

#### Sample Request Body for the Permit/Deny Endpoint

#### Request URL

```
https:///acme-finance.us1.plainid.io/api/runtime/permit-deny/v3
```

#### Request Body

```
{
    "entityId": "UX-12345",
    "entityTypeId": "bank_users",
    "clientId": "{ClientID}",
    "clientSecret": "{ClientSecret}",
    "responseType": "accessDecision",
    "listOfResources": [
        {
            "resourceType": "Accounts",
            "resources": [
                {
                    "action": "Access",
                    "path": "AS-XX-12575"
                }
            ]
        }
    ]
}
```

### Using the Authorization Request Header

By adding the following headers to the Authorization Request:

| Header Key | Header Value |
| --- | --- |
| X-Client-Id | The PlainID Scope ClientID |
| X-Client-Secret | The PlainID Scope ClientSecret |

### Using the Authorization Request JWT

PlainID Policy Decision Point can also authorize access to the Authorization APIs.

Please note - the `clientId`and `entityId` must be passed as part of the Authorization Request Body or Header.

The JWT should be valid - the Policy Decision Point will validate the JWT by using the JWKS URL of the JWT Issuer (Authorization Server, IDP, etc.).

If the JWT is invalid - no identity attributes are extracted to be used in the Policy Decision calculation.

The JWKS URLs can be configured in the PlainID Policy Administration Point under Tenant Management > Policy Authorization Agents.

#### Sample JWT

```
{
  "sub": "1234567890",
  "name": "John Doe",
  "iat": 1516239022,
  "businessData": {
    "department": "Home Loans",
    "branch": "TX"
  },
  "phoneNumbers": [
    {
      "type": "land",
      "number": "0123-4567-8888"
    },
    {
      "type": "mobile",
      "number": "0333-4567-9999"
    }
  ]
}
```

Encoding and Decoding of JWT can be done by accessing [https://jwt.io](https://jwt.io)

#### Using the JWT as Identity Attribute Source

The Claims from the JWT can be used to obtain information about the Identity (the user).

The unique identity of the user (entityId) is **still required in the request body** when using JWT as an identity source.

In the PlainID Policy Administration Point access the Identity Workspace, and map the relevant claims from the JWT to the corresponding Identity Attributes: ![authentication attribute source.png](https://cdn.document360.io/726c7002-05a9-480e-b986-42c9e8824acd/Images/Documentation/authentication%20attribute%20source.png)

#### Sample JWT Claims Mapping to Identity Attributes

| Identity Attribute | Claim Name | JSON Path | Value |
| --- | --- | --- | --- |
| Name | name | `$.name` | John Doe |
| Departement | department | `$.businessData.departement` |  |
| HomePhone | phoneNumbers | `$.phoneNumbers[:1].number` The first value from the `phoneNumbers` array | 0123-4567-8888 |
| CellPhone | phoneNumbers | `$.phoneNumbers[?(@.type=='mobile')].number` The value with the type `mobile` from the `phoneNumbers` array | 0333-4567-9999 |