See api-docs Menu

Generate Tokens

Generate an access token and refresh token that you can use to call our resource APIs.

For an overview of the authorization flow, see Authorizing Resource API Calls.

Once generated, an access token is valid for 10 hours.

Assuming that you are using the same client_id and client_secret, this request will return the same token set until the token expires or is revoked.

Call the Get Rate Limit API to view current rate limits and usage for your account. Alternatively, you can find rate limit values in the response header for a resource API call.

Resource URL

https://api.<region>.onelogin.com/auth/oauth2/v2/token

Sample Code

Replace sample values indicated by < > with your actual values.


curl 'https://api.us.onelogin.com/auth/oauth2/v2/token' \
-X POST \
-H "Authorization: client_id:<client_id>, client_secret:<client_secret>" \
-H "Content-Type: application/json" \
-d '{
  "grant_type":"client_credentials"
}'
      

const request = require("request")

let options = {
  method: 'POST',
  uri: 'https://api.us.onelogin.com/auth/oauth2/v2/token',
  auth: {
    user: 'ONELOGIN CLIENT ID',
    pass: 'ONELOGIN CLIENT SECRET'
  },
  json: {
    grant_type: 'client_credentials'
  }
}

request(options, function(error, response, body){
  let accessToken = body.access_token
})
      

This example uses Dotnet Core 2.0


using System;
using System.Net.Http;
using System.Net.Http.Headers;
using System.Text;
using System.Threading.Tasks;
using Newtonsoft.Json;

.....

public async Task<string> GetAccessToken()
{
    var client = new HttpClient();

    var credentials = string.Format("{0}:{1}", "ONELOGIN CLIENT ID", "ONELOGIN CLIENT SECRET");

    client.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue(
        "Basic",
        Convert.ToBase64String(Encoding.UTF8.GetBytes(credentials))
    );

    var request = new HttpRequestMessage(){
        Method = HttpMethod.Post,
        RequestUri = new Uri("https://api.us.onelogin.com/auth/oauth2/v2/token"),
        Content = new StringContent("{ \"grant_type\": \"client_credentials\" }")
    };

    // We add the Content-Type Header like this because otherwise dotnet
    // adds the utf-8 charset extension to it which is not compatible with OneLogin
    request.Content.Headers.ContentType = new MediaTypeHeaderValue("application/json");

    var response = await client.SendAsync(request);
    var responseBody = await response.Content.ReadAsStringAsync();

    dynamic json = JsonConvert.DeserializeObject(responseBody);

    return json.access_token;
}
      

require 'httparty'

response = HTTParty.post('https://api.us.onelogin.com/auth/oauth2/v2/token',
  basic_auth: {
    username: 'ONELOGIN CLIENT ID',
    password: 'ONELOGIN CLIENT SECRET'
  },
  body: { grant_type: 'client_credentials' }.to_json,
  headers: {
    'content-type' => 'application/json'
  }
)

puts response['access_token']
      

import requests

r = requests.post('https://api.us.onelogin.com/auth/oauth2/v2/token',
  auth=('ONELOGIN CLIENT ID','ONELOGIN CLIENT SECRET'),
  json={
    "grant_type": "client_credentials"
  }
)
response = r.json()

print(response['access_token'])
      

CloseableHttpClient client = HttpClientBuilder.create().build();

HttpPost request = new HttpPost("https://api.us.onelogin.com/auth/oauth2/v2/token");

String credentials = String.format("%s:%s", "ONELOGIN CLIENT ID" , "ONELOGIN CLIENT SECRET");
byte[] encodedAuth = Base64.getEncoder().encode(credentials.getBytes());
String authHeader = "Basic " + new String(encodedAuth);

request.setHeader("Authorization", authHeader);
request.addHeader("Content-Type", "application/json");
request.setEntity(new StringEntity("{ \"grant_type\": \"client_credentials\" }", "UTF-8"));

try {
  CloseableHttpResponse reponse = client.execute(request);

  String content = EntityUtils.toString(reponse.getEntity());

  JSONObject json = new JSONObject(content);

  String accessToken = json.getString("access_token");

  System.out.println(accessToken);

} catch (IOException e) {
    e.printStackTrace();
}
      

Header Parameters

Authorization

required

string

Set to Basic <base64 encoded "clientId:clientSecret">.

e.g. Using Node.js this would be

new Buffer(`${client_id}:${client_secret}`).toString('base64');
        

For details about getting a client ID and client secret, see API Credentials.

Content-Type

required

string

Set to application/json.

Request Parameter

grant_type

required

string

Set to client_credentials.

Sample Request Body

{
   "grant_type": "client_credentials"
}

Sample Response


        {
            "access_token": "xx508xx63817x752xx74004x30705xx92x58349x5x78f5xx34xxxxx51",
            "created_at": "2015-11-11T03:36:18.714Z",
            "expires_in": 36000,
            "refresh_token": "628x9x0xx447xx4x421x517x4x474x33x2065x4x1xx523xxxxx6x7x20",
            "token_type": "bearer",
            "account_id": 555555
        }

Typically, the following error means that your grant_type value is incorrect. The grant_type in your request body must be set to client_credentials. See Sample Request Body above for an example.

{
    "status": {
        "error": true,
        "code": 400,
        "type": "bad request",
        "message": "grant_type is incorrect/absent"
 }
}

{
    "status": {
        "error": true,
        "code": 400,
        "type": "bad request",
        "message": "Content Type is not specified or specified incorrectly.
                    Content-Type header must be set to application/json"
 }
}

Typically, the following error means that your Authorization header value is missing or incorrectly formatted. The Authorization header format must be: client_id:<client_id>, client_secret:<client_secret>.

{
    "status": {
        "error": true,
        "code": 400,
        "type": "bad request",
        "message": "The authorization information is missing"
 }
}

Typically, this error means that your client_id and/or client_secret values are invalid.

{
    "status": {
        "error": true,
        "code": 401,
        "type": "Unauthorized",
        "message": "Authentication Failure"
 }
}

Typically, this error means that you are using the incorrect method. Ensure that you are making a POST.

{
    "status": {
        "error": true,
        "code": 404,
        "type": "not found",
        "message": "No Route Exists"
 }
}

Response Elements

access_token

Provides the requested access token. You can use this token to call our resource APIs.

created_at

Time at which the access token was generated.

expires_in

Indicates that the generated access token expires in 36,000 seconds, 600 minutes, or 10 hours.

An expired access token cannot be used to make resource API calls, but it can still be used along with its associated refresh token to call the Refresh Tokens v2 API.

refresh_token

Provides the refresh token that is uniquely paired with the access token. You can use this token to request a refresh to its associated access token.

For more information about refreshing access tokens, see Refresh Tokens v2.

token_type

Indicates that the generated access token is a bearer token.

account_id

Account ID associated with the API credentials used to generate the token.

Postman Collection

Replace sample variables indicated by {{ }} with your actual values.

Download for the OAuth 2.0 Tokens API version 2


Have a Question?

Have a how-to question? Seeing a weird error? Ask us about it on StackOverflow.

Found a bug? Submit a support ticket.

Have a product idea or request? Share it with us in our Ideas Portal.