Type Guide Status Active This is the current version. Quick introMany of the PCA API operations can be accessed by applications with the authorisation of their currently logged in user.The following summarizes the user-based authorisation mode of accessing the PCA API:Applications (i.e. ClientSystems) obtain PCA API OAuth 2.0 access tokens from the PCA Identity and Access Manager using the OAuth 2.0 “authorization_code” grant type.The PCA Identity and Access Manager issues PCA API access tokens which are only valid for a limited time – no refresh tokens are issued. Clients must delete them when the user session is no longer activeThe figure shows the user-based authorisation pattern for the case where the ClientSystem has its own local user identity and authorisation implementation. In this case a local user session, hosted by the ClientSystem, is established in step 1 – but the user is then required to authenticate separately to PRODA for the PCA API access tokens to be issued to the PCA Web Application (steps 2 to 14). The case where the ClientSystem is the PCA Portal, or any similar web application that natively authenticates its users via PRODA, is the same as in figure above except that steps 1 and 2 are replaced by the user navigating with their browser to the web application web site.Note that the PCA Portal is also an OAuth 2.0 client of the PCA Identity and Access Manager like all other clients of the PCA APIs – i.e. it is also a ClientSystem.