Type Guide Status Active This is the current version. Quick introMany of the PCA™ API operations can be accessed by applications with the authorisation of their currently logged in user.The following summarizes the user-based authorisation mode of accessing the PCA™ API:Applications (i.e. ClientSystems) obtain PCA™ API OAuth 2.0 access tokens from the PCA™ Identity and Access Manager using the OAuth 2.0 “authorization_code” grant type.The PCA™ Identity and Access Manager issues PCA™ API access tokens which are only valid for a limited time – no refresh tokens are issued. Clients must delete them when the user session is no longer activeThe figure shows the user-based authorisation pattern for the case where the ClientSystem has its own local user identity and authorisation implementation. In this case a local user session, hosted by the ClientSystem, is established in step 1 – but the user is then required to authenticate separately to PRODA for the PCA API access tokens to be issued to the PCA Web Application (steps 2 to 14). The case where the ClientSystem is the PCA™ Portal, or any similar web application that natively authenticates its users via PRODA, is the same as in figure above except that steps 1 and 2 are replaced by the user navigating with their browser to the web application web site.Note that the PCA™ Portal is also an OAuth 2.0 client of the PCA™ Identity and Access Manager like all other clients of the PCA™ APIs – i.e. it is also a ClientSystem.