guide/Authentication.md

+Authentication (and everything related to IAM) is managed by [Keycloak](https://www.keycloak.org/).
+
+Prior to accessing secured endpoints, a client (whether web app or mobile app) must first authenticate using keycloak.
+
+## Authentication details
+
+### Local
+
+```curl
+curl --location --request POST 'http://localhost:8180/auth/realms/rapidpass/protocol/openid-connect/token' \
+--header 'Content-Type: application/x-www-form-urlencoded' \
+--data-urlencode 'client_id=rapidpass-dashboard' \
+--data-urlencode 'username=ASK_IN_SLACK' \
+--data-urlencode 'password=ASK_IN_SLACK' \
+--data-urlencode 'grant_type=password'
+```
+
+Realm: `rapidpass`
+
+Client ID: `rapidpass-dashboard`
+
+### Dev
+
+```curl
+curl --location --request POST 'https://id.cxpass.org/auth/realms/rapidpass-dashboard-dev/protocol/openid-connect/token' \
+--header 'Content-Type: application/x-www-form-urlencoded' \
+--data-urlencode 'client_id=rapidpass-dashboard-dev' \
+--data-urlencode 'username=ASK_IN_SLACK' \
+--data-urlencode 'password=ASK_IN_SLACK' \
+--data-urlencode 'grant_type=password'
+```
+
+Realm: `rapidpass-dashboard-dev`
+
+Client ID: `rapidpass-dashboard-dev`
+
+### Expiry
+
+Access tokens last for 90 minutes. In case your access token has expired (and considered invalid), you may use [the refresh token to request for a new access token](https://stackoverflow.com/questions/51386337/refresh-access-token-via-refresh-token-in-keycloak).
\ No newline at end of file