See api-docs Menu

Generate Tokens

Generate an access token and refresh token that you can use to call our resource APIs.

This API endpoint returns a response that includes status, which is not standard for OAuth 2.0, and which does not work with out-of-the-box OAuth 2.0 clients. We continue to support this endpoint, but recommend that for new development you use the Generate Tokens v2 API.

For an overview of the authorization flow, see Authorizing Resource API Calls.

Once generated, an access token is valid for 10 hours.

However, note that when using the same client ID and client secret to generate another set of tokens, any existing tokens will be invalidated, even if they are less than 10 hours old.

An access token has a rate limit of 5,000 calls per hour. If an access token surpasses this limit, API calls will return an error. After the hour has passed, the count will be reset to a full 5,000 available calls.

Call the Get Rate Limit API to view current rate limits for an access token. Alternatively, you can find rate limit values in the response header for a resource API call.

Resource URL

https://api.<us_or_eu>.onelogin.com/auth/oauth2/token

Header Parameters

Authorization

required

string

Set to client_id:<client_id>, client_secret:<client_secret>.

For details about getting a client ID and client secret, see API Credentials.

Content-Type

required

string

Set to application/json.

Request Parameter

grant_type

required

string

Set to client_credentials.

Sample Request Body

{
   "grant_type": "client_credentials"
}

Sample Response

{
    "status": {
        "error": false,
        "code": 200,
        "type": "success",
        "message": "Success"
    },
    "data": [
        {
            "access_token": "xx508xx63817x752xx74004x30705xx92x58349x5x78f5xx34xxxxx51",
            "created_at": "2015-11-11T03:36:18.714Z",
            "expires_in": 36000,
            "refresh_token": "628x9x0xx447xx4x421x517x4x474x33x2065x4x1xx523xxxxx6x7x20",
            "token_type": "bearer",
            "account_id": 555555
        }
 ]
}

Typically, the following error means that your grant_type value is incorrect. The grant_type in your request body must be set to client_credentials. See Sample Request Body above for an example.

{
    "status": {
        "error": true,
        "code": 400,
        "type": "bad request",
        "message": "grant_type is incorrect/absent"
 }
}

{
    "status": {
        "error": true,
        "code": 400,
        "type": "bad request",
        "message": "Content Type is not specified or specified incorrectly.
                    Content-Type header must be set to application/json"
 }
}

Typically, the following error means that your Authorization header value is missing or incorrectly formatted. The Authorization header format must be: client_id:<client_id>, client_secret:<client_secret>.

{
    "status": {
        "error": true,
        "code": 400,
        "type": "bad request",
        "message": "The authorization information is missing"
 }
}

Typically, this error means that your client_id and/or client_secret values are invalid.

{
    "status": {
        "error": true,
        "code": 401,
        "type": "Unauthorized",
        "message": "Authentication Failure"
 }
}

Typically, this error means that you are using the incorrect method. Ensure that you are making a POST.

{
    "status": {
        "error": true,
        "code": 404,
        "type": "not found",
        "message": "No Route Exists"
 }
}

Response Elements

access_token

Provides the requested access token. You can use this token to call our resource APIs.

created_at

Time at which the access token was generated.

expires_in

Indicates that the generated access token expires in 36,000 seconds, 600 minutes, or 10 hours.

An expired access token cannot be used to make resource API calls, but it can still be used along with its associated refresh token to call the Refresh Tokens API.

refresh_token

Provides the refresh token that is uniquely paired with the access token. You can use this token to request a refresh to its associated access token.

For more information about refreshing access tokens, see Refresh Tokens.

token_type

Indicates that the generated access token is a bearer token.

account_id

Account ID associated with the API credentials used to generate the token.

Postman Collection

Replace sample variables indicated by {{ }} with your actual values.

Download for the OAuth 2.0 Tokens API

Sample Code

cURL

Replace sample values indicated by < > with your actual values.

curl 'https://api.us.onelogin.com/auth/oauth2/token' \
-X POST \
-H "Authorization: client_id:<client_id>, client_secret:<client_secret>" \
-H "Content-Type: application/json" \
-d '{ 
    "grant_type":"client_credentials"
}'

C#

See Get Access Token and Users.

Python

See Work with OAuth 2.0 Tokens, Users, and Roles.


Have a Question?

Have a how-to question? Seeing a weird error? Ask us about it on StackOverflow.

Found a bug? Submit a support ticket.

Have a product idea or request? Share it with us in our Ideas Portal.